Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by takyon on Saturday September 22 2018, @01:55AM   Printer-friendly
from the jet-drag dept.

Microsoft's Jet crash: Zero-day flaw drops after deadline passes:

The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.

The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.

The bad news: it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file, and any arbitrary malicious code smuggled in the document is executed only with the user's privileges (we've all made sure that users don't have admin privilege, right?) The booby-trapped Jet file can also be opened using JavaScript, so someone could be fooled into viewing a webpage that uses JS to open the file, causing the code to run if it's picked up by the database.

The other good news is that the Jet database engine is not terribly well deployed: it's mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday September 22 2018, @03:24AM (1 child)

    by Anonymous Coward on Saturday September 22 2018, @03:24AM (#738467)

    Richard Stallman began the GNU Project with the explicitly stated goal of lowering programmer salaries to the level of sales clerks. He very nearly is succeeding. On average he has succeeded already when the vast numbers of unpaid free software programmers are counted. There are yet some few millennial hipster douchebags who earn pay in the six figure range and are deluded enough to believe they deserve to get paid for coding work. This state of affairs is not economically sustainable and professional coder pay will be corrected to zero by the invisible hand of capitalism. On the subject of Mr Torvalds all I can say is I hope he enjoys his new career of selling coffee.

  • (Score: 0) by Anonymous Coward on Saturday September 22 2018, @06:09AM

    by Anonymous Coward on Saturday September 22 2018, @06:09AM (#738485)

    Interesting. Can I subscribe to your newsletter?

    Will he enjoy selling coffee? With $150m in the bank, he just may.