Researcher Discloses New Zero-Day Affecting All Versions of Windows

[Megalith]

Microsoft’s lack of action has compelled Trend Micro’s security team to reveal details of a zero-day vulnerability applicable to all Windows versions. The vulnerability involves the Microsoft JET Database Engine, which is integrated in products such as Microsoft Access and Visual Basic.

According to an advisory released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution. An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.

 

[DooKey]

I don't mind them disclosing the bug, but putting out exploit code is fucking stupid.

 

[BinarySynapse]

I thought JET was discontinued something like 5-10 years ago.

 

[BinarySynapse]

From the article it seems it's still in use:

"The Microsoft JET Database Engine, or simply JET (Joint Engine Technology), is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic."

I'm pretty sure newer versions use SQL Server Express.

 

[Simmonz]

I don't mind them disclosing the bug, but putting out exploit code is fucking stupid.

I think Microsoft not fixing the issue in the last 120 days is fucking stupid.

 

[DooKey]

I think Microsoft not fixing the issue in the last 120 days is fucking stupid.

I agree.

 

[STEvil]

I think Microsoft not fixing the issue in the last 120 days is fucking stupid.

Well kind of depends if they ignored it outright or were actively looking for a fix.

 

[Lakados]

05/08/18 - ZDI reported the vulnerability to the vendor and the vendor acknowledged the report

05/14/18 - The vendor replied that they successfully reproduced the issue ZDI reported

09/09/18 - The vendor reported an issue with the fix and that the fix might not make the September release

09/10/18 - ZDI cautioned potential 0-day

09/11/18 - The vendor confirmed the fix did not make the build

09/12/18 - ZDI confirmed to the vendor the intention to 0-day on 09/20/18


So Microsoft was actively working on a patch looks like they just didn’t finish on time.

 

[Simmonz]

Well kind of depends if they ignored it outright or were actively looking for a fix.

A company that made $22 billion in profit last fiscal year should be able to get it done if they try.

 

[BinarySynapse]

A company that made $22 billion in profit last fiscal year should be able to get it done if they try.

You ever worked for a big company? There's so much red tape that it takes longer just to get a change planned and approved than it does to actually design test and implement the change itself.

 

[katanaD]

An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.

so the exploit requires an end user to run a malicious item..WOW

How is MS to fix stupid??

 

[clockdogg]

so the exploit requires an end user to run a malicious item..WOW

Yes. Similar to the Win10 Upgrade malware, but more easily avoided.

How is MS to fix stupid??

They don't want to 'fix' stupid. Just Embrace and Extend it.