Researcher Discloses New Zero-Day Affecting All Versions of Windows

Discussion in '[H]ard|OCP Front Page News' started by Megalith, Sep 22, 2018.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    12,771
    Joined:
    Aug 20, 2006
    Microsoft’s lack of action has compelled Trend Micro’s security team to reveal details of a zero-day vulnerability applicable to all Windows versions. The vulnerability involves the Microsoft JET Database Engine, which is integrated in products such as Microsoft Access and Visual Basic.

    According to an advisory released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution. An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.
     
  2. Montu

    Montu [H]ard DCOTM x4

    Messages:
    8,005
    Joined:
    Apr 25, 2001
    I don't mind them disclosing the bug, but putting out exploit code is fucking stupid.
     
  3. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,628
    Joined:
    Feb 6, 2006
    I thought JET was discontinued something like 5-10 years ago.
     
  4. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,628
    Joined:
    Feb 6, 2006
    I'm pretty sure newer versions use SQL Server Express.
     
  5. Simmonz

    Simmonz 2[H]4U

    Messages:
    2,681
    Joined:
    May 14, 2008
    I think Microsoft not fixing the issue in the last 120 days is fucking stupid.
     
    dvsman, DrezKill and JStamsek like this.
  6. Montu

    Montu [H]ard DCOTM x4

    Messages:
    8,005
    Joined:
    Apr 25, 2001
    I agree.
     
    DrezKill and Simmonz like this.
  7. STEvil

    STEvil 2[H]4U

    Messages:
    2,743
    Joined:
    Oct 17, 2000
    Well kind of depends if they ignored it outright or were actively looking for a fix.
     
  8. Lakados

    Lakados Gawd

    Messages:
    884
    Joined:
    Feb 3, 2014
    05/08/18 - ZDI reported the vulnerability to the vendor and the vendor acknowledged the report

    05/14/18 - The vendor replied that they successfully reproduced the issue ZDI reported

    09/09/18 - The vendor reported an issue with the fix and that the fix might not make the September release

    09/10/18 - ZDI cautioned potential 0-day

    09/11/18 - The vendor confirmed the fix did not make the build

    09/12/18 - ZDI confirmed to the vendor the intention to 0-day on 09/20/18


    So Microsoft was actively working on a patch looks like they just didn’t finish on time.
     
  9. Simmonz

    Simmonz 2[H]4U

    Messages:
    2,681
    Joined:
    May 14, 2008
    A company that made $22 billion in profit last fiscal year should be able to get it done if they try.
     
  10. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,628
    Joined:
    Feb 6, 2006
    You ever worked for a big company? There's so much red tape that it takes longer just to get a change planned and approved than it does to actually design test and implement the change itself.
     
  11. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,800
    Joined:
    Nov 15, 2016
    so the exploit requires an end user to run a malicious item..WOW

    How is MS to fix stupid??
     
    dvsman likes this.
  12. clockdogg

    clockdogg Gawd

    Messages:
    692
    Joined:
    Dec 12, 2007
    Yes. Similar to the Win10 Upgrade malware, but more easily avoided.

    They don't want to 'fix' stupid. Just Embrace and Extend it.

    :D