A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.
The vulnerability came to light in mid-September after the Trend Micro Zero-Day Initiative (ZDI) posted details about it on its site.
ZDI said Microsoft had failed to patch the flaw in due time and they decided to make the issue public, so users and companies could take actions to protect themselves against any exploitation attempts.
The vulnerability, which was a zero-day at the time of its disclosure, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target.
The JET engine was one of Microsoft's first forays in database technologies. It was developed in the 90s and has been used to power various Microsoft apps, with the most recognizable names being Access, Visual Basic, Microsoft Project, and IIS 3.0.
JET has been deprecated and replaced by newer technologies in the meantime, but it is still included with Windows for legacy purpose.
Information security experts criticized Microsoft for failing to patch the vulnerability, mainly because it allowed a remote full compromise of the user's system.
They also remembered that Microsoft was also late to patch a flaw in another legacy product last year --Office's legacy Equation Editor app-- which became one of the most heavily exploited vulnerabilities in the past year.
Fortunately, Microsoft did see the problem with leaving the JET zero-day unpatched in the end and shipped an update this past Tuesday.
But according to Mitja Kolsek, co-founder of 0patch, Microsoft's recent JET patch is incomplete, and an attacker can still exploit the original vulnerability.
"At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it," Kolsek said. "We promptly notified Microsoft about it and will not reveal further details or proof-of-concept until they issue a correct fix."
Also: Windows 10: A cheat sheet TechRepublic
0Patch, who released a so-called custom "micro-patch" for the JET zero-day when it came out, released another micro-patch today until Microsoft corrects its original JET fix.
The good news is that until now, neither Microsoft nor 0Patch have seen hackers trying to exploit this vulnerability.
Furthermore, to exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file, meaning attacks can't be automated at scale, and social engineering is still required to trick the user into opening a malicious file.
Previous and related coverage:
You've just upgraded to the most recent version of Windows 10. Before you get back to work, use this checklist to ensure that your privacy and security settings are correct and that you've cut annoyances to a bare minimum.
You've got a new PC running Windows 10 Home. You want to upgrade to Windows 10 Pro. Here's how to get that upgrade for free. All you need is a Pro/Ultimate product key from an older version of Windows.
- A mysterious grey-hat is patching people's outdated MikroTik routers
- Proof-of-concept code published for Microsoft Edge remote code execution bug
- WhatsApp fixes bug that let hackers take over app when answering a video call
- These popular Android phones came with vulnerabilities pre-installed CNET
- Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs
- Microsoft Windows zero-day vulnerability disclosed through Twitter TechRepublic
- Some Apple laptops shipped with Intel chips in "manufacturing mode"