The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft’s Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.
The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.
The other good news is that the Jet database engine is not terribly well deployed: it’s mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.
In its formal advisory, ZDI said the problem is in Jet’s index manager. A crafted file in the Jet format triggers “a write past the end of an allocated buffer” when opened by the software. ZDI’s proof-of-concept exploit code is on GitHub.
This thread from 0patch cofounder Mitja Kolsek provides useful details about the conditions that the PoC will and won’t work under. Kolsek confirmed that the bug will work on a “local click” in Windows 7, and while exploitation of the bug requires a 32-bit environment, “even on 64-bit Windows, IE rendering processes are 32-bit – and can use Jet.”
ZDI said it believes “all supported Windows version[s] are impacted by this bug, including server editions.” Microsoft, we’re told, has confirmed it’s working on a patch. Since it wasn’t included in September’s Patch Tuesday, it may arrive in the October cycle.
0patch promised its own micropatch will land soon in this tweet:
7 hours after @thezdi has published details on this unpatched remotely exploitable vulnerability in Jet Database Engine, we have a micropatch candidate on Windows 7. More on this vulnerability and our micropatch soon. https://t.co/cSuIf5nubp
— 0patch (@0patch) September 20, 2018
ZDI emphasized that this issue is not related to CVE-2018-8392, which Fortinet disclosed last week after it got the Patch Tuesday treatment. ®