Zero Day Initiative disclosed unpatched Microsoft Jet database flaw

All supported versions of Windows affected by remote code execution bug

Microsoft Jet database interface

Security researchers have disclosed a remote code execution vulnerability that affects the Microsoft Jet Database Engine.

According to a blog post by the Zero Day Initiative (ZDI), an out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft back in May. Microsoft managed to reproduce the bug shortly afterwards.

While Microsoft has patched two other buffer overflow bugs in Jet in its latest Patch Tuesday update, this bug has been left out and will be fully patched in the October update.

"An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched," said Simon Zuckerbraun, a security researcher at ZDI.

The bug affects all supported Windows versions including server editions. The flaw itself can be triggered by opening a Jet source via a Microsoft component known as Object Linking and Embedding Database (OLEDB).

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"To trigger this vulnerability, a user would need to open a specially crafted file containing data stored in the JET database format. Various applications use this database format. An attacker using this would be able to execute code at the level of the current process," said Zuckerbraun.

In a security advisory, ZDI said the issue is in Microsoft Jet's index manager. "Crafted data in a database file can trigger a write past the end of an allocated buffer," stated the advisory.

The advisory said that given the nature of the vulnerability "the only salient mitigation strategy is to restrict interaction with the application to trusted files".

A proof-of-concept exploit code has been posted on GitHub.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/354789/microsoft-pulls-disastrous-windows-10-security-update
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020