Internet Explorer users are vulnerable to attacks targeting ActiveX, even when ActiveX is vulnerability-free, claims security company Symantec. According to Symantec's Sean Hittel, attackers have found a way to essentially serve users the vulnerability prior to exploiting it. Targeted is a critical security flaw in the ActiveX Control for the Snapshot Viewer for Microsoft Access. Microsoft has patched the vulnerability via a security bulletin issued in July 2008, but the update was deployed only on the systems with the software installed. Symantec claims that all Internet Explorer users are vulnerable to the issue.

"Recently, we came across a rather unfortunate exploit case for the Access Snapshot Viewer ActiveX Vulnerability that took advantage of a property of the ActiveX system to exploit IE users who did not have the vulnerable control installed. How does one exploit a vulnerability that does not exist on a system you say? Sadly, attackers have found a way to install the vulnerable Access Snapshot Viewer ActiveX control through Internet Explorer prior to exploiting it," Hittel stated.

Symantec indicated that the control is signed and as such its insulation is completely silent. In fact, in order to become vulnerable no user interaction is required. The attackers' aim is to install the vulnerable control on the targeted computers, and then exploit the associated vulnerability.

"Once this vulnerable control is installed on the victim's computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected," Hittel stated.

Microsoft's ActiveX technology is a notorious vector for attacks due to its ubiquity and distribution model. Symantec has warned that the silent ActiveX installations, part of the core of ActiveX operation, contribute to exposing end users to security risks.