Security Experts:

Connect with us

Hi, what are you looking for?



ZDI Shares Details of Microsoft JET Database Zero-Day

Trend Micro’s Zero Day Initiative (ZDI) on Thursday made public details on a vulnerability impacting the Microsoft JET Database Engine, although a patch isn’t yet available for it.

Trend Micro’s Zero Day Initiative (ZDI) on Thursday made public details on a vulnerability impacting the Microsoft JET Database Engine, although a patch isn’t yet available for it.

The zero-day vulnerability was reported to Microsoft in early May 2018 and a fix was expected to be included in the company’s September set of security updates, but it did not make the cut.

As per the ZDI’s disclosure policy, information on the bug was released publicly 120 days after the vendor was notified on its existence, despite the lack of a patch.

The issue, ZDI explains, is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution.

Discovered by Lucas Leong of Trend Micro Security Research, the flaw resides in the management of indexes in JET and crafted data in a database file can trigger a write past the end of an allocated buffer.

Although an attacker could leverage the vulnerability to execute code under the context of the current process, exploitation requires user interaction, ZDI’s Simon Zuckerbraun explains in a blog post. Specifically, it requires for the victim to open a malicious file that would trigger the bug.

“Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB,” Zuckerbraun notes.

OLEDB (or OLE-DB) stands for Object Linking and Embedding, Database, an API from Microsoft that allows accessing data from a variety of sources in a uniform manner.

An attacker looking to trigger the vulnerability would need to trick the user into opening a specially crafted file that contains data stored in the JET database format. The database format is used by various applications and the attacker would be able to execute code at the level of the current process.

The vulnerability was confirmed in Windows 7, but ZDI, which also published proof of concept code, believes that all supported Windows version are impacted, including server editions.

“Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources,” Zuckerbraun concludes.

The zero-day flaw has a CVSS score of 6.8.

Related: Microsoft Patches Windows Zero-Day Disclosed via Twitter

Related: Exploit Published for Windows Task Scheduler Zero-Day

Related: Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.