Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Third-Party Patch Available for Microsoft JET Database Zero-Day

An unofficial patch is already available for the unpatched Microsoft JET Database Engine vulnerability that Trend Micro’s Zero Day Initiative (ZDI) made public last week.

An unofficial patch is already available for the unpatched Microsoft JET Database Engine vulnerability that Trend Micro’s Zero Day Initiative (ZDI) made public last week.

The security flaw, an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution, was reported to the vendor in early May. ZDI disclosed the issue publicly as 120 days had passed after they notified the vendor, although a patch hadn’t been released.

The bug resides in the manner in which indexes are managed in JET. Crafted data in a database file can trigger a write past the end of an allocated buffer and an attacker could exploit this to execute code under the context of the current process. Exploitation, however, requires user interaction.

Despite not being considered critical, attackers could use social engineering to trick users into opening malicious files capable of triggering the exploit.

Now, 0patch, a community project focused on resolving software vulnerabilities by delivering tiny fixes to users worldwide, says they were able to devise a patch for the bug less than a day after ZDI went public with their findings.

In a blog post detailing the fix, ACROS Security CEO Mitja Kolsek explains that, with JET only working on 32-bit systems, the proof-of-concept (PoC) code provided by ZDI would cause an error message on 64-bit systems, unless launched with wscript.exe.

Because it attempts to write past the allocated memory block, the PoC causes a crash in wscript.exe, and this is where the security researchers started from when building their patch.

Kolsek notes that a micro-patch was ready for Windows 7 only 7 hours after ZDI had published their PoC and that the fix would work on all platform iterations sharing the exact same version of msrd3x40.dll as Windows 7.

Windows 10, however, has a slightly different msrd3x40.dll, and the security researchers had to make a small tweak to the initial micro-patch to address the issue in this platform iteration as well. According to Kolsek, they used the exact same source code, just a different file hash.

“These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users’ computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities,” Kolsek notes.

The patches are free for everyone. Users interested in getting them only need to install and register the 0patch Agent. Even with these micro-patches, however, users are still advised to install Microsoft’s official fixes once they arrive.

Related: ZDI Shares Details of Microsoft JET Database Zero-Day

Related: Third-Party Patch Released for Windows Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.