Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti
Zero Day in Microsoft Jet Database Engine Leaves Most Windows Versions Vulnerable
A new vulnerability has been disclosed, highlighting a flaw in Microsoft Jet Database Engine. If left alone, the problem could leave many Windows OS versions and Windows Server editions vulnerable. The flaw was found by Trend Micro and the company says Microsoft has yet to issue a patch.
This Zero Day was discovered under Trend Zero’s traditional method. The group finds bugs and reported them to software developers. In a similar vain to Google’s Project Zero, vendors are given 120 days to issue a fix before Trend Zero makes it public.
Ok, Project Zero’s timeframe is 90 days, but the situation is the same. Microsoft has 120 days but failed to issue a patch in that time. As we have discussed before, this is a disclosure method that Microsoft disagrees with. The company says it would prefer to deal with companies to find a fix.
Trend Zero told Microsoft about the situation on May 8 but the company has still not solved the problem The Jet Database Engine problem is potentially huge. Not least because Jet is a database engine that underpins numerous Microsoft products, among them Windows OS and Server.
The security researchers describe the vulnerability as an Out-of-Bound write flaw. It could be triggered through a Jet source through Microsoft’s own Object Linking and Embedding Database (OLEDB).
Trend Zero describes the flaw in its disclosure write up:
“To trigger this vulnerability, a user would need to open a specially crafted file containing data stored in the JET database format. Various applications use this database format. An attacker using this would be able to execute code at the level of the current process…
“An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file.”
Microsoft has been told about the flaw and the company has acknowledged it exists. Redmond is now expected to roll out a patch during October, likely on Patch Tuesday.
24/09/18 Çap et