Connect with us

Hi, what are you looking for?



ZDI Shares Details of Microsoft JET Database Zero-Day

Trend Micro’s Zero Day Initiative (ZDI) on Thursday made public details on a vulnerability impacting the Microsoft JET Database Engine, although a patch isn’t yet available for it.

Trend Micro’s Zero Day Initiative (ZDI) on Thursday made public details on a vulnerability impacting the Microsoft JET Database Engine, although a patch isn’t yet available for it.

The zero-day vulnerability was reported to Microsoft in early May 2018 and a fix was expected to be included in the company’s September set of security updates, but it did not make the cut.

As per the ZDI’s disclosure policy, information on the bug was released publicly 120 days after the vendor was notified on its existence, despite the lack of a patch.

The issue, ZDI explains, is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution.

Discovered by Lucas Leong of Trend Micro Security Research, the flaw resides in the management of indexes in JET and crafted data in a database file can trigger a write past the end of an allocated buffer.

Although an attacker could leverage the vulnerability to execute code under the context of the current process, exploitation requires user interaction, ZDI’s Simon Zuckerbraun explains in a blog post. Specifically, it requires for the victim to open a malicious file that would trigger the bug.

“Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB,” Zuckerbraun notes.

Advertisement. Scroll to continue reading.

OLEDB (or OLE-DB) stands for Object Linking and Embedding, Database, an API from Microsoft that allows accessing data from a variety of sources in a uniform manner.

An attacker looking to trigger the vulnerability would need to trick the user into opening a specially crafted file that contains data stored in the JET database format. The database format is used by various applications and the attacker would be able to execute code at the level of the current process.

The vulnerability was confirmed in Windows 7, but ZDI, which also published proof of concept code, believes that all supported Windows version are impacted, including server editions.

“Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources,” Zuckerbraun concludes.

The zero-day flaw has a CVSS score of 6.8.

Related: Microsoft Patches Windows Zero-Day Disclosed via Twitter

Related: Exploit Published for Windows Task Scheduler Zero-Day

Related: Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.