Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft's Jet Crash: Zero-day Flaw Drops After Deadline Passes

posted by takyon on Saturday September 22 2018, @01:55AM   Printer-friendly
from the jet-drag dept.

Bytram (from IRC) writes:

Microsoft's Jet crash: Zero-day flaw drops after deadline passes:

The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.

The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.

The bad news: it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file, and any arbitrary malicious code smuggled in the document is executed only with the user's privileges (we've all made sure that users don't have admin privilege, right?) The booby-trapped Jet file can also be opened using JavaScript, so someone could be fooled into viewing a webpage that uses JS to open the file, causing the code to run if it's picked up by the database.

The other good news is that the Jet database engine is not terribly well deployed: it's mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Microsoft's Jet Crash: Zero-day Flaw Drops After Deadline Passes | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @09:13AM (2 children)

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Saturday September 22 2018, @09:13AM (#738506) Homepage Journal

    "Nobody can figure out how to copy a file."

    Not my words, but the founder and President of that vendor.

    Linux might actually be ready for the Desktop, but you're going to have to overcome decades of sloth such as a certain release of Slackware whose gEdit lost all the text that was not displayed in the window.

    That is, if you wrote a chapter of your Great American Novel then shrunk the window to just a few inches high, most of your chapter just vanished into the Ether.

    --
    Yes I Have No Bananas. [gofundme.com]
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2) by kazzie on Saturday September 22 2018, @01:12PM (1 child)

    by kazzie (5309) Subscriber Badge on Saturday September 22 2018, @01:12PM (#738533)

    a certain release of Slackware whose gEdit lost all the text that was not displayed in the window.

    Whenabouts was that? I've been dabling with Slackware for well over a decade and can't recall hearing of this.