Microsoft's Jet crash: Zero-day flaw drops after deadline passes:
The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.
The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.
The bad news: it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file, and any arbitrary malicious code smuggled in the document is executed only with the user's privileges (we've all made sure that users don't have admin privilege, right?) The booby-trapped Jet file can also be opened using JavaScript, so someone could be fooled into viewing a webpage that uses JS to open the file, causing the code to run if it's picked up by the database.
The other good news is that the Jet database engine is not terribly well deployed: it's mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.
(Score: 3, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @08:38AM (3 children)
If it's used by Microsoft Access, then it is _exceedingly_ well deployed.
This flaw could be quite a serious problem, potentially a national emergency.
I'd rather not point out where all those Access installs are, but I'm going to drop a dime to a software vendor that's been building their product on Access for decades.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @09:10AM
Dime Dropped. The guy I emailed is generally good about his email.
The software in question is quite cool as well as quite popular, but yes I was appalled when they explained it was built on top of Access.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Interesting) by digitalaudiorock on Saturday September 22 2018, @01:45PM
As I recall, it was used in Diebold voting machines at least at one point.
(Score: 2, Informative) by Anonymous Coward on Saturday September 22 2018, @08:17PM
Every version of Windows in modern use has the Jet DB engine included. MSJET*.DLL etc. So "not terribly well deployed" is absolutely false since it's only a part of practically every single 32/64-bit Windows machine that exists. In fact, I just confirmed by fishing through the CAB files that Windows 95 OSR2 (aka Win95B) has MSJT3032.DLL which is Jet 2.0, so yeah, it's literally deployed even on ancient Win95 machines.