Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday September 22 2018, @01:55AM   Printer-friendly
from the jet-drag dept.

Microsoft's Jet crash: Zero-day flaw drops after deadline passes:

The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.

The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.

The bad news: it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file, and any arbitrary malicious code smuggled in the document is executed only with the user's privileges (we've all made sure that users don't have admin privilege, right?) The booby-trapped Jet file can also be opened using JavaScript, so someone could be fooled into viewing a webpage that uses JS to open the file, causing the code to run if it's picked up by the database.

The other good news is that the Jet database engine is not terribly well deployed: it's mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Gaaark on Saturday September 22 2018, @03:27AM (3 children)

    by Gaaark (41) on Saturday September 22 2018, @03:27AM (#738469) Journal

    When will people stop being stupid?

    What will it take? Seriously.....what will it REALLY take to get people to stop being stupid?

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: -1, Troll) by Anonymous Coward on Saturday September 22 2018, @03:29AM

    by Anonymous Coward on Saturday September 22 2018, @03:29AM (#738471)

    Unfortunately a bullet in the head is the only possible cure for khallow.

  • (Score: 2) by MostCynical on Saturday September 22 2018, @06:35AM

    by MostCynical (2589) on Saturday September 22 2018, @06:35AM (#738490) Journal

    When not-stupid is easier than stupid.

    Stupid is often lazy plus uninformed, but laziness feeds ignorant, so..

    Won't even happen when stupid causes death (already happened)

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
  • (Score: 2) by Freeman on Monday September 24 2018, @04:44PM

    by Freeman (732) on Monday September 24 2018, @04:44PM (#739250) Journal

    I'm not stupid, or uniformed, I'm just stuck with an either / or situation and so far it's been me using Windows. They have definitely nearly pushed me out of the Microsoft camp entirely with the recent Win10 built-in spyware, though. All it would take is them announcing some subscription based model and I'm 100% out. The unfortunate part is that I hear VR on Linux isn't well supported. I don't have enough skin in the game to not dump it, if necessary though.

    Most of the reason why I don't have Linux on my current box is, because of ease of use. It would take more effort to switch everything over to Linux than I want to spend, right now. I have limited free time and don't want to take the effort to switch to Linux. Assuming, I knew that I would have a seamless transition and the few games I am currently playing ran well. I would make the switch. There's no guarantee that I wouldn't be stuck distro hopping only to find out that something, something, have to build something, because something. Sure, I can figure it out and maybe it would just work. I don't have tons of free time anymore. I have a wife and kid and they both need and want my attention. So, at the end of the day, I just want to relax and that doesn't involve switching graphic drivers, because it doesn't work on this game.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"