Researchers have discovered a zero-day vulnerability in the Microsoft Jet Database Engine that allows remote hacking of Windows systems. While the researchers discovered this Windows Jet Database vulnerability some time ago, Microsoft hasn’t released a patch yet for it despite the knowledge. Nonetheless, Opatch has released micropatch for the flaw to protect the users.
Zero-Day Windows Jet Database Vulnerability Discovered
Recently, security researcher Lucas Leong from the Trend Micro Zero Day Initiative disclosed a flaw he found in the Microsoft Jet Database Engine. As reported, he found a zero-day Windows Jet Database vulnerability that allows remote code execution by a potential criminal hacker.
According to the ZDI report, the out-of-bounds (OOB) write flaw existed in the Jet Database Engine indexes. Exploiting this flaw simply requires the target to open malicious Jet database file. After that, the attacker can remotely execute arbitrary codes on the hacked system leveraging the current user.
As stated in the ZDI security advisory,
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.”
While the researcher confirmed the vulnerability of Windows 7 to this flaw, the other vulnerable versions remain unconfirmed yet. Nonetheless, they suspect all Windows server editions and other versions compatible versions to be affected by this bug.
Patch Awaited From Microsoft
Although ZDI allegedly disclosed the vulnerability to Microsoft in May 2018, the vendor failed to release a patch until public disclosure. In fact, Microsoft didn’t even fix the flaw in the latest September Patch Updates, despite releasing patches for other Jet database vulnerabilities and fixing another zero-day flaw. Hence, ZDI disclosed the vulnerability publicly after the agreed disclosure period exceeded.
For now, ZDI simply recommends the users to remain cautious before opening any files as a precaution.
“In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources.”
Meanwhile, Opatch has released micropatches for this vulnerability for the users.
We're happy to announce general availability of two free micropatches for the Jet Engine Out-Of-Bounds Write vulnerability disclosed yesterday by @thezdi. These micropatches apply to fully updated 32bit and 64bit:
– Windows 10
– Windows 8.1
– Windows 7
– Windows Server 2008-2016 pic.twitter.com/Du1cTFafiM
— 0patch (@0patch) September 21, 2018
Opatch further confirmed the vulnerability of Windows 7, 8.1, 10, and Windows Server 2008-2016 versions to this flaw.
Besides, users can see the proof-of-concept for this vulnerability here.
Let us know your thoughts in the comments section.