There is a vulnerability in the Microsoft JET Database Engine, and a patch is still in development.
The Zero Day vulnerability ended up reported to Microsoft in May and a fix was expected to be in the company’s September security updates, but it did not make the cut, said researchers at Trend Micro’s Zero Day Initiative (ZDI)
Because of ZDI’s disclosure policy, information on the bug was released publicly 120 days after the vendor was notified of its existence, despite the lack of a patch.
The issue is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution, ZDI researchers said.
Discovered by Lucas Leong of Trend Micro Security Research, the flaw resides in the management of indexes in JET and crafted data in a database file can trigger a write past the end of an allocated buffer.
Although an attacker could leverage the vulnerability to execute code under the context of the current process, exploitation requires user interaction, said ZDI’s Simon Zuckerbraun in a post. It requires the victim to open a malicious file that would trigger the bug.
“Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB,” Zuckerbraun said.
OLEDB (or OLE-DB) stands for Object Linking and Embedding, Database, an API from Microsoft that allows accessing data from a variety of sources in a uniform manner.
An attacker looking to trigger the vulnerability would need to trick the user into opening a specially crafted file that contains data stored in the JET database format. The database format is used by various applications and the attacker would be able to execute code at the level of the current process.