[German]There is a zero day vulnerability in Microsoft's Jet Engine, which is used in applications under Windows. The vulnerability is unpatched, but not critical.
Advertising
Jet Engine is a database interface from Microsoft that can be used in Access, Visual Basic or other software via the Jet Engine data source drivers.
Vulnerability published after 120 days
The vulnerability was discovered by Trend Micro and described in this blog post. At the same time, the vulnerability was reported to Microsoft on 8 May 2018. After the 120-day standstill period expired, the information was released this week.
The vulnerability
When writing to a database using the Microsoft JET database engine, an out-of-bounds (OOB) operation is possible. This could be exploited to execute remote code. However, this code will only be executed in the context of the current process. To do this, however, the user must be persuaded to open a malicious file. And the jet engine only runs in 32-bit mode. The exploitability is therefore very limited, the reason why Microsoft takes its time with a patch. Specifically, the vulnerability seems to be in the index manager of the jet engine. On GitHub there is a Proof of Concept (PoC) in form of an example database and a JavaScript program, which uses the OLEDB provider 4.0 for the write accesses. Mitja Kolsek from 0patch has posted something about it on Twitter.
A bit about this unpatched remote code execution i Windows Jet Database Engine:
1) First of all, a nice find, @thezdi and @_wmliang_! (Btw, Lucas' Twitter handle in the article – @wmliang – is wrong!) 2) Jet only exists in 32bits, so launching poc.js won't work on 64bit Windows https://t.co/57okiFs7S7 — Mitja Kolsek (@mkolsek) 20. September 2018
According to the blog post, the existence of the vulnerability in Windows 7 has been confirmed. However, security researchers believe that all supported Windows versions are vulnerable. Microsoft is working internally on a patch, but it is still unknown when it will be released. The Register has reported on this in the meantime.
Advertising
