A remote code execution vulnerability affecting the Microsoft Jet database engine was compromised by Google's Project Zero.
This bug, "All versions of Windows are supported"[s]"Including server version" has not been confirmed in writing.
The Google Project Zero initiative sets deadlines after notifying the supplier of a serious security problem. This group will allow 120 days of vulnerability resolution before publication.
Microsoft has exceeded this time.
This vulnerability is an out-of-range (OOB) vulnerability that can be triggered by opening a Jet source through a Microsoft component called Object Linking and Embedding Database (OLEDB).
Security researchers stated that "There are certain flaws in the management of the Jet database engine index." "Data created in the database file can trigger a write after the allocated buffer has finished.
TechRepublic: Best Practices for Patch Management 8
If it is exploited, security violations are likely to be executed remotely in the context of the current user.
However, the vulnerability of this vulnerability is that in order to cause abuse, it is necessary to interact with the user by opening a malicious file containing information about the Jet database.
See also: Microsoft Updates Hotfixes Last Sunday of SALW Day 0 patch for September 2018 Updated Tuesday
PoC (proof of concept code) was released on GitHub.
This vulnerability was reported to Microsoft on May 8th. Microsoft has resolved two buffer overflow bugs affecting Jet with the latest Microsoft Patch Tuesday update, but this bug fix was unsuccessful.
Redmond giants could reproduce bugs and accepted the report as legitimate. The company is undergoing revision work, and this problem may occur with Microsoft's patch next October 10 (Tuesday).
CNET: Intel stops some bug fixes as the patch is causing problems
Because the security hole is not fixed, the Google Project Zero team believes that the way to mitigate the risk of vulnerability is to meet security and cognitive standards, that is not to open files from untrusted sources It is.
After public release of security breach, 0 patch I promised a micropatch It is suitable for Windows 7 build.
It turned out that Lucas Leong of Trend Micro Security Research found this vulnerability.
Previous and related coverage
Hope you like the news Google Zero Day team discloses unpatched Microsoft Jet RCE vulnerability. Stay Tuned For More Updates 🙂