US-CERT warns of Microsoft Access Database attacks

US-CERT warns of Microsoft Access Database attacks

Summary: According to a US-CERT alert, the attacks are using an unpatched stack buffer overflow vulnerability in the way Microsoft Access handles specially crafted database files.


US-CERT warns of Microsoft Access Database attacksOn the same day Microsoft issued fixes for at least 11 Windows software flaws, the U.S. Computer Emergency Response Team (US-CERT) warned that hackers were using malicious Microsoft Access databases to launch attacks against unknown targets.

According to a US-CERT alert, the attacks are using an unpatched stack buffer overflow vulnerability in the way Microsoft Access handles specially crafted database files.

Opening a specially crafted Microsoft Access Database (e.g., .MDB) can cause arbitrary code execution without requiring any additional user interaction. Microsoft Access files are considered to be high-risk, so it may be possible to execute arbitrary code without using a vulnerability in Microsoft Access.

Mark Miller, a director in Microsoft's security response center, said the company is aware of the attack reports and stressed that the file type being used (.MDB) is an unsafe file type. "Various Microsoft applications prevents users from opening this type of file, or warns them before they open the file," Miller said via e-mail.

To help protect against this type of attack, US-CERT recommends:

  •     Do not open attachments from unsolicited email messages
  •     Block high-risk file attachments at email gateways

A proof-of-concept exploit for a code execution hole in the Jet DB engine (which is built into Microsoft Access) is publicly available.   The flaw affects Microsoft Office Access 2003 on Windows XP SP2.

Topics: Microsoft, Collaboration, Data Centers, Data Management, Enterprise Software, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oh Nelly ,,,

    This is a no show . According to the Microsoft Zealots/Shills and what have you nots ,
    that if this hasn't exploited their machine then it is non-existant .
    • To be fair

      To be fair, Apple/Linux zealots say the same thing, if an exploit isn't circulating for a hole in, say OSX, then it doesn't matter if they are sitting wide open.
      • Misread his point, but your point is equally valid

        His point seemed to indicate that if a Windows user isn't personally affected by a problem then a problem doesn't exist. That's not saying that an expoit isn't circulating, just that it hasn't circulated to their box. I would agree with both of you that regardless as to whether someone is personally affected or even if an exploit isn't circulating, a security hole is a security hole is a security hole. Someone will find it eventually. They might not attack you, but the fact that they attack someone else could have an impact on you indirectly. Fixing infected computers ain't free, and those costs to business eventually wind up hitting consumers in the pocketbook. As they say, crap rolls downhill and consumers are always at the bottom of the pile.
    • And someday Mr. Leo Tard...

      these same issues will affect your precious little OSX if they ever get any market share? There's no money in attacking a toy computer! I read that Snapple has done a ton of patching the X. However, I do like Apple as they don't necessary publize there breaches therefore making it more difficult to attack them. Not being a zealot, or shill just somebody who uses a computer to do work, M$ gets attacked because of their market share. How they got it is another thread.
  • Just in, Hackers use code to Hack computers...

    Umm, can you say DUH?
  • Affects ONLY one platform?

    "The flaw affects Microsoft Office Access 2003 on Windows XP SP2."

    It doesn't say if it *ONLY* affects this exact config. For example, if you're running a recent version of Access, does it affect you? What Access platforms would NOT be affected?

    These are all answers that a good article would include, so we aren't left wondering.
  • Who in their right mind uses access?

    Microsoft access? That's a database? Don't make me laugh. Who really uses access?
    • I do

      Access is a full blown RDBMS, the only thing it lacks are stored procedures. Our company uses a 100,000 line Access program to run every aspect of our business. It's used daily and has proven reliable and robust over the last 7 years, through two versions of Access, two major rewrites, and almost weekly feature additions and changes as our business needs change.

      When done correctly, Access programs are reliable, robust, secure, and *flexible*. Not to mention easily maintained...

      Sure, Access can't handle hundreds of users in an on line transaction scenario, but that isn't how we use it.

      Besides, this new exploit is no different than the macro attacks of old--at least in terms of delivery. Not to mention that MDB files are almost *never* used in emails... (laughing)

      And did I mention MDB files are stripped automatically by Outlook? :)
    • A lot of people use Access

      Its not exactly Oracle, but thats not what its designed for. It probably has at least as much market penetration as Oracle. Its an excellent system for small amounts of data (<100M) and small numbers of users. Why by a full up dbms when Access is cheap?
    • Thousands Do

      Hundreds of thousands small businesses doing billions of dollars worth of business use Access. There has yet to be a product that comes close to Access for RAD. Backends abound that are built for big business or companies with lots of IT and programming staff, lots of API's can build slick front ends for these too. But SMB's need to get things done, in days or weeks not months or years. Only access can do this.
      • Come on, there are Databases outside of Microsoft's products.


        DB2,Sybase,Oracle,DBase,Approach,MySQL, just to name a few!
    • Acces is the Most used Database in the World

      It is true that Access does not have the robustness and scalability to handle large amounts of data (over 2 gig). But Access has an outstanding user interface and faster development tools than any other DB in existence. Access is widely acclaimed as the the best Database Report Development software in the world. It can be used as a front end with SQL Server and just about any other DB. Access can import and export XML, Excel, HTML, etc. Access programmmers use Visual Basic for Applications and APIs and Library References enable incredible flexibility and programmability.

      Because Access is used to link to other Databases on Servers security issues are important. Unfortunately, Access security is weak compared to larger Databases such as SQL Server and Oracle. Also, many users have not yet upgraded to Access 2007 so any threat to Access 2003 security is important.