Microsoft’s Jet crash: Zero-day flaw drops after deadline passes

The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft’s Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.

The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.

The bad news: it’s a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file, and any arbitrary malicious code smuggled in the document is executed only with the user’s privileges (we’ve all made sure that users don’t have admin privilege, right?) The booby-trapped Jet file can also be opened using JavaScript, so someone could be fooled into viewing a webpage that uses JS to open the file, causing the code to run if it’s picked up by the database.

The other good news is that the Jet database engine is not terribly well deployed: it’s mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.

In its formal advisory, ZDI said the problem is in Jet’s index manager. A crafted file in the Jet format triggers “a write past the end of an allocated buffer” when opened by the software. ZDI’s proof-of-concept exploit code is on GitHub.

This thread from 0patch cofounder Mitja Kolsek provides useful details about the conditions that the PoC will and won’t work under. Kolsek confirmed that the bug will work on a “local click” in Windows 7, and while exploitation of the bug requires a 32-bit environment, “even on 64-bit Windows, IE rendering processes are 32-bit – and can use Jet.”

ZDI said it believes “all supported Windows version[s] are impacted by this bug, including server editions.” Microsoft, we’re told, has confirmed it’s working on a patch. Since it wasn’t included in September’s Patch Tuesday, it may arrive in the October cycle.

0patch promised its own micropatch will land soon in this tweet:

ZDI emphasized that this issue is not related to CVE-2018-8392, which Fortinet disclosed last week after it got the Patch Tuesday treatment. ®