0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

A zero day vulnerability in the Microsoft Windows Jet Database Engine has been disclosed by TrendMicro’s Zero Day Initiative even though a security update is not currently available from Microsoft.

This vulnerability was discovered by Lucas Leong of the Trend Micro Security Research team and could allow attackers to perform remote code execution on a vulnerable machine. To initiate this attack, a specially crafted Jet database file would need to be opened, which would then perform an out-of-bounds write to the program’s memory buffer. This would then lead to remote code execution on the targeted Windows computer.

This vulnerability has been assigned the ZDI-18-1075 ID and is stated to affect “Windows”. It is not known if all versions of Windows are affected by this vulnerability.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.”

As Microsoft has not released a security update for this vulnerability, the disclosure states that the only way to prevent this attack is to only open trusted Jet database files.

“Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.”

After publishing the article, we were notified that 0Patch have released 3rd party micropatches that resolve this vulnerability. They have also confirmed that this vulnerability affects Windows 10, Windows 8.1, Windows 7, and Windows Server 2008-2016.

Disclosed without available update

When the Zero Day Initiative (ZDI) reports a vulnerability to a vendor, they allow the vendor 4 months (120 days) to fix the vulnerability and release a patch. If a vendor does not release a fix within that time frame or provide a reasonable reason for not doing so, ZDI will publicly disclose the vulnerability. 

“If a vendor response is received within the timeframe outlined above, ZDI will allow the vendor 4-months (120 days) to address the vulnerability with a security patch or other corrective measure as appropriate,” is stated in the ZDI disclosure policy. “At the end of the deadline, if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user. We believe that by taking these actions, the vendor will understand the responsibility they have to their customers and will react appropriately. Extensions to the 120-day disclosure timeline will not be granted. “

This policy is in place to basically force the vendor to release a patch in a timely manner.

According to ZDI, this vulnerability was disclosed to Microsoft on 05/08/18 and Microsoft confirmed receipt on 05/14/18. T

he timeline below, shows that Microsoft began working on a patch but had an issue with it. Due to this they were not able to get the fix released as part of the September 2018 Patch Tuesday updates.

05/08/18 - ZDI reported the vulnerability to the vendor and the vendor acknowledged the report
05/14/18 - The vendor replied that they successfully reproduced the issue ZDI reported
09/09/18 - The vendor reported an issue with the fix and that the fix might not make the September release
09/10/18 - ZDI cautioned potential 0-day
09/11/18 - The vendor confirmed the fix did not make the build
09/12/18 - ZDI confirmed to the vendor the intention to 0-day on 09/20/18

As part of this disclosure release, ZDI has also published a Proof-of-Concept to their Github repository.

BleepingComputer has contacted both Microsoft and ZDI for more details behind this disclosure, but had not heard back by the time of this publication.

Update 9/21/18: Updated to include information about 0Patch’s micropatch for this vulnerability.