Microsoft JET vulnerability still open to attacks, despite recent patch

Microsoft's patch for a JET database engine zero-day deemed incomplete.
Written by Catalin Cimpanu, Contributor

A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.

The vulnerability came to light in mid-September after the Trend Micro Zero-Day Initiative (ZDI) posted details about it on its site.

ZDI said Microsoft had failed to patch the flaw in due time and they decided to make the issue public, so users and companies could take actions to protect themselves against any exploitation attempts.

The vulnerability, which was a zero-day at the time of its disclosure, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target.

Also: Should you upgrade to Windows 10 October 2018 Update? CNET

The JET engine was one of Microsoft's first forays in database technologies. It was developed in the 90s and has been used to power various Microsoft apps, with the most recognizable names being Access, Visual Basic, Microsoft Project, and IIS 3.0.

JET has been deprecated and replaced by newer technologies in the meantime, but it is still included with Windows for legacy purpose.

Information security experts criticized Microsoft for failing to patch the vulnerability, mainly because it allowed a remote full compromise of the user's system.

They also remembered that Microsoft was also late to patch a flaw in another legacy product last year --Office's legacy Equation Editor app-- which became one of the most heavily exploited vulnerabilities in the past year.

Fortunately, Microsoft did see the problem with leaving the JET zero-day unpatched in the end and shipped an update this past Tuesday.

But according to Mitja Kolsek, co-founder of 0patch, Microsoft's recent JET patch is incomplete, and an attacker can still exploit the original vulnerability.

"At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it," Kolsek said. "We promptly notified Microsoft about it and will not reveal further details or proof-of-concept until they issue a correct fix."

Also: Windows 10: A cheat sheet TechRepublic

0Patch, who released a so-called custom "micro-patch" for the JET zero-day when it came out, released another micro-patch today until Microsoft corrects its original JET fix.

The good news is that until now, neither Microsoft nor 0Patch have seen hackers trying to exploit this vulnerability.

Furthermore, to exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file, meaning attacks can't be automated at scale, and social engineering is still required to trick the user into opening a malicious file.

In Memoriam: All the consumer products Microsoft has killed off

Previous and related coverage:

How to install, reinstall, upgrade and activate Windows 10

Here's everything you need to know before you repair, reinstall, or upgrade Windows 10, including details about activation and product keys.

After Windows 10 upgrade, do these seven things immediately

You've just upgraded to the most recent version of Windows 10. Before you get back to work, use this checklist to ensure that your privacy and security settings are correct and that you've cut annoyances to a bare minimum.

How to upgrade from Windows 10 Home to Pro for free

You've got a new PC running Windows 10 Home. You want to upgrade to Windows 10 Pro. Here's how to get that upgrade for free. All you need is a Pro/Ultimate product key from an older version of Windows.

Related stories:

Editorial standards