Microsoft patched a zero-day in its JET Database Engine this week – but the patch was incomplete, according to researchers at 0patch. The company has developed a micropatch that corrects that hole, it said Friday.
The memory corruption vulnerability (CVE-2018-8423) could allow remote code-execution. It was found by Trend Micro’s Zero Day Initiative (ZDI), which subsequently released the flaw as a zero-day 135 days after reporting it to Microsoft. Eighteen days later, Microsoft issued a fix as part of its Patch Tuesday updates this week.
The flaw is an out-of-bounds (OOB) write in the JET Database Engine, which underlies the Microsoft Access and Visual Basic software. It’s a less well-known alternative to Microsoft’s flagship SQL Server.
“The root cause boils down to how the JET Database Engine handles malformed data in a database file,” Dustin Childs, communications manager for ZDI, told Threatpost. “Improper handling of the malformed data could lead to code execution.”
According to ZDI, the specific flaw exists within the management of indexes in JET. It can be triggered by opening a booby-trapped JET database file via OLEDB, which is an API designed by Microsoft that enables data to be accessed from an array of disparate sources in a uniform manner. That consequently would cause a “write past the end of an allocated buffer,” i.e., a crash, which in turn would allow an adversary to execute code with the same privileges as the target machine’s legitimate user.
Because the vulnerability was published as a zero-day before the official patch was available, 0patch issued a micropatch just a day after it dropped. It has now issued another micropatch to correct the official patch.
The problem lies in one of Window’s core dynamic link libraries, “msrd3x40.dll.”
“As expected, the update brought a modified msrd3x40.dll binary: this is the binary with the vulnerability, which we had micropatched with four CPU instructions (one of which was just for reporting purposes),” said Mitja Kolsek, a researcher with the 0patch team, in a notice about the fresh fix. “The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course its cryptographic hash also changed – which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll.”
However, when the company reviewed the differences between the official patch and the micropatch, it found slight differences, “unfortunately in a way that only limited the vulnerability instead of eliminating it,” Kolsek said.
The original ZDI PoC is blocked by Microsoft‘s patch, but it can be slightly modified to again cause memory corruption, he explained in an email to Threatpost.
“Microsoft‘s patch undoubtedly limits the attacker’s ability to exploit the vulnerability, but we can’t say to what extent; this could only be answered by a skilled exploit developer investing due effort in actually trying to exploit this to launch malicious code on user’s computer,” he told us. “If an exploit was developed for this ‘remaining’ issue, it would very much look like an exploit for the unpatched issue – so there would likely be no more hoops to go through.”
There are however mitigating factors to successful exploitation: This technique relies on social engineering to convince users to open a malicious attachments. Users should, as always, use caution when opening emails from unknown senders or opening unknown files, or accepting file transfers.
0patch has notified Microsoft about the problem and said that it will await an official update before publishing proof-of-concept details — Kolsek told Threatpost that it hasn’t received Microsoft‘s confirmation yet.
Jeff Jones, senior director at Microsoft, told Threatpost that “We’re aware of the report will take additional action to protect customers if needed.”
Kolsek said the new micropatch (a video demonstration can be seen here) fixes fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, as well as other Windows versions that share the same version of msrd3x40.dll.
This posting was updated on Oct. 17 with input from 0patch and Microsoft.