Unpatched Microsoft Zero-Day in JET Allows Remote Code-Execution

Microsoft said that it’s working on a fix for a zero-day flaw in its JET Database Engine.

A Microsoft zero-day has been uncovered that could allow remote code-execution; and as of now, it remains unpatched.

According to Trend Micro’s Zero Day Initiative (ZDI), the flaw is an out-of-bounds (OOB) write in the Microsoft JET Database Engine, which underlies the Microsoft Access and Visual Basic software; it’s a less well-known alternative to Microsoft’s flagship SQL Server.

“The root cause boils down to how the JET Database Engine handles malformed data in a database file,” Dustin Childs, communications manager for ZDI, told Threatpost. “Improper handling of the malformed data could lead to code execution.”

According to ZDI, the specific flaw exists within the management of indexes in JET. It can be triggered by opening a booby-trapped JET database file via OLEDB, which is an API designed by Microsoft that enables data to be accessed from an array of disparate sources in a uniform manner.  That consequently would cause a “write past the end of an allocated buffer,” i.e., a crash, which in turn would allow an adversary to execute code with the same privileges as the target machine’s legitimate user.

The good news is that exploiting the flaw would take some social engineering; the target would need to be coaxed to open a specially crafted file containing malicious data stored in the JET database format (and ZDI pointed out in its advisory on Thursday that various applications use that format). Adversaries could also trigger an exploit with a weaponized web page, according to ZDI – although 0patch co-founder Mitja Kolsec said via Twitter he had trouble getting that to execute.

The vulnerability exists in Windows 7 (ZDI has issued proof-of-concept code for the bug), but it said that it believes that “all supported Windows version are impacted by this bug, including server editions.”

Microsoft patched two other issues in JET in the September Patch Tuesday updates, both of them listed as buffer overflows. For its part, the vendor has acknowledged the zero-day (first reported to Microsoft in May by Lucas Leong of Trend Micro Security Research) and said that it is working on a patch. In the meantime, 0patch promised that a micropatch for Windows 7 is forthcoming.

Other than that, businesses using JET should work on employee awareness and caution them not to open files from untrusted sources.

“This is a critical-severity bug since it allows remote code-execution at the level of the current process,” Childs told us. “JET is most commonly associated with the Access database and Office, but it’s a widely-deployed component.”

Suggested articles

Discussion

  • Mitja Kolsek on

    Update: 0patch is happy to announce general availability of two free micropatches for this vulnerability. These micropatches apply to fully updated 32bit and 64bit: - Windows 10 - Windows 8.1 - Windows 7 - Windows Server 2008-2016 We have confirmed that all of the above Windows versions *are* vulnerable. Everyone is welcome to download free 0patch Agent from the 0patch website and register a free account.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.