cbcvebase.
CVE-2008-2463
published 2008-07-07

CVE-2008-2463: The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access…

PriorityP267medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.13%
99.0th percentile
The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftoffice_snapshot_viewer_activex
microsoftoffice_snapshot_viewer_activex
microsoftoffice_snapshot_viewer_activex

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://bizoplata.ru/pay.html
domainbizoplata.ru
filenamesnapview.ocx
filenameMs-Access-SnapShot.html
pathC:/Docume~1/ALLUSE~1/trojan.exe
othersnpvw.Snapshot Viewer Control.1
snort
SID 13903-13910
snort
SID 15362
  • Detect ActiveX instantiation of the Snapshot Viewer Control by looking for the ProgID 'snpvw.Snapshot Viewer Control.1' in HTML/script content delivered over HTTP.
  • Detect JavaScript obfuscation via excessive String.fromCharCode() density: more than ~5 calls within a 500-byte window is a strong indicator of malicious obfuscation used to hide this exploit.
  • Detect eval(unescape('...')) obfuscation pattern where unescape payload is large — a known technique used to deliver this and related ActiveX exploits.
  • Monitor for files written to Startup folder paths (e.g., All Users\Start Menu\Programs\Startup) by browser or ActiveX processes, as the exploit leverages this for code execution persistence.
  • Exploit delivery uses chained HTTP 302 redirects and nested 1x1 pixel iframes across multiple levels before serving the final ActiveX exploit page — multi-hop redirect chains to small iframes are a detection signal.
  • ·Snort SIDs 13903-13910 cover direct (non-obfuscated) CVE-2008-2463 exploit traffic but will NOT fire on heavily obfuscated JavaScript delivery of the same exploit.
  • ·SID 15362 (String.fromCharCode density detection) may generate false positives against legitimate sites that obfuscate JavaScript; analyst triage or per-site whitelisting is recommended.
  • ·The eval(unescape()) detection rule may also generate occasional false positives and should be tuned accordingly.
  • ·The Metasploit module randomizes the ActiveX object variable name and the dropped executable filename, so static string signatures on those values will not be reliable.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.