Unpatched Microsoft Zero-Day in JET Allows Remote Code-Execution

Microsoft said that it’s working on a fix for a zero-day flaw in its JET Database Engine.

A Microsoft zero-day has been uncovered that could allow remote code-execution; and as of now, it remains unpatched.

According to Trend Micro’s Zero Day Initiative (ZDI), the flaw is an out-of-bounds (OOB) write in the Microsoft JET Database Engine, which underlies the Microsoft Access and Visual Basic software; it’s a less well-known alternative to Microsoft’s flagship SQL Server.

“The root cause boils down to how the JET Database Engine handles malformed data in a database file,” Dustin Childs, communications manager for ZDI, told Threatpost. “Improper handling of the malformed data could lead to code execution.”

According to ZDI, the specific flaw exists within the management of indexes in JET. It can be triggered by opening a booby-trapped JET database file via OLEDB, which is an API designed by Microsoft that enables data to be accessed from an array of disparate sources in a uniform manner.  That consequently would cause a “write past the end of an allocated buffer,” i.e., a crash, which in turn would allow an adversary to execute code with the same privileges as the target machine’s legitimate user.

The good news is that exploiting the flaw would take some social engineering; the target would need to be coaxed to open a specially crafted file containing malicious data stored in the JET database format (and ZDI pointed out in its advisory on Thursday that various applications use that format). Adversaries could also trigger an exploit with a weaponized web page, according to ZDI – although 0patch co-founder Mitja Kolsec said via Twitter he had trouble getting that to execute.

The vulnerability exists in Windows 7 (ZDI has issued proof-of-concept code for the bug), but it said that it believes that “all supported Windows version are impacted by this bug, including server editions.”

Microsoft patched two other issues in JET in the September Patch Tuesday updates, both of them listed as buffer overflows. For its part, the vendor has acknowledged the zero-day (first reported to Microsoft in May by Lucas Leong of Trend Micro Security Research) and said that it is working on a patch. In the meantime, 0patch promised that a micropatch for Windows 7 is forthcoming.

Other than that, businesses using JET should work on employee awareness and caution them not to open files from untrusted sources.

“This is a critical-severity bug since it allows remote code-execution at the level of the current process,” Childs told us. “JET is most commonly associated with the Access database and Office, but it’s a widely-deployed component.”

Suggested articles