Trend Micro Zero Day team discloses unpatched Microsoft Jet RCE vulnerability
A remote code execution vulnerability impacting the Microsoft Jet Database Engine has been disclosed by Trend Micro.
Security
The bug, which is thought to impact "all supported Windows version[s], including server editions," is unpatched at the time of writing.
The Trend Micro Zero Day Initiative enforces a set time limit after notifying vendors of serious security issues. The group permits 120 days to resolve a vulnerability before public disclosure.
Microsoft has exceeded this deadline.
The vulnerability is an out-of-bounds (OOB) write flaw which can be triggered by opening a Jet source via a Microsoft component known as Object Linking and Embedding Database (OLEDB).
"The specific flaw exists within the management of indexes in the Jet database engine," the security researchers say. "Crafted data in a database file can trigger a write past the end of an allocated buffer."
TechRepublic: 8 best practices for managing software patches
If exploited, the security flaw could lead to remote code execution in the context of the current user.
However, the saving grace of this vulnerability is that in order to trigger an exploit, user interaction is required through the opening of a crafted, malicious file containing Jet database information.
See also: Microsoft patches recent ALPC zero-day in September 2018 Patch Tuesday updates
Proof-of-concept (PoC) code has been made public on GitHub.
The vulnerability was reported to Microsoft on May 8. While Microsoft resolved two separate buffer overflow bugs impacting Jet in the latest Microsoft Patch Tuesday update, a fix for this bug did not make the release.
The Redmond giant has managed to replicate the bug and has accepted the report as legitimate. The company is working on a patch and we are likely to see it in the upcoming Microsoft October Patch Tuesday.
CNET: Intel halts some chip patches as the fixes cause problems
As the security flaw is unpatched, Trend Micro says the way to mitigate the risk of exploit is simply to adhere to good standards of security hygiene and awareness -- or, in other words, do not open any files from untrusted sources.
Following the public disclosure of the security flaw, 0patch promised a micropatch suitable for Windows 7 builds.
Update 15.25 BST: 0patch has now made patches available to those who wish to remedy their systems ahead of Microsoft's next patch round.
The patches apply to fully-updated 32-bit and 64-bit Windows systems, versions 10, 8.1, 7, and Windows Server 2008-2016.
Lucas Leong of Trend Micro Security Research has been credited with the discovery of the vulnerability.
Amendment: Article originally reported that the security flaw was found by Google's Project Zero. This has been amended.