back to article Microsoft's Jet crash: Zero-day flaw drops after deadline passes

The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available. The bug, reported to …

  1. Gerhard Mack

    180 days ?

    It's fun to see Microsoft revert back to it's old, insecure ways.

    1. Avatar of They
      Stop

      Re: 180 days ?

      They never left their insecure ways. They used to have QA & Testers and were insecure. Now QA & Testing is done by the public and it is still insecure.

  2. Anonymous Coward
    Anonymous Coward

    Shouldn't Trend Micro be cleaning it's own house first?

    "It was discovered by Lucas Leong of Trend Micro Security Research."

    https://www.theregister.co.uk/2018/09/10/trend_micro_apple_macos/

  3. Geoffrey W

    From the article : "The other good news is that the Jet database engine is not terribly well deployed"

    I was under the impression that the Jet database engine was deployed with the Windows operating system and has been for years. If that's not terribly well deployed then what is?

    Am I wrong? Or is this a bug in some external layer to the Jet database engine, such as DAO, or something else, or whatever? Please tell me...I'd like to mitigate...

    1. Anonymous Coward Silver badge
      Windows

      I believe it's actually in the MS Office suite and has been since forever (I think I first encountered it in Office 95, but I didn't do DB stuff before that)

      But yeah, it is incredibly widely deployed.

      1. Candy

        WINS is for Winners

        Also, WINS runs on Jet. And, yes, there's a lot of people running WINS still...

      2. defiler

        MS Office Suite

        Yeah, but that's just in Access, isn't it? In which case it's only Office Pro.

        Let's be honest, most applications that have been updated in the past 10 years will be hitting SQL Express for the back-end database. Or at least all the ones I've seen.

        Edit - I lied. One of our clients has an Access DB for something horrible. But just one. And we don't talk about it.

        1. Anonymous Coward
          Anonymous Coward

          Re: MS Office Suite

          For consumer desktop applications, you don't want to be installing SQL server.

          That's why JET would be used. It's essentially a very shit version of SQLite, but it's also a standard interface to other engines.

          1. defiler

            Re: MS Office Suite

            For consumer desktop applications, you don't want to be installing SQL server.

            Really? It's only SQL Express, the freebie one. I've seen it on all sorts of desktop applications, for well over ten years. Worked with a mortgage adviser once who had 3 different instances of SQL Express on his desktop because different applications were hard-coded to these instance names. Would have helped him a lot to have one instance and three databases...

      3. big_D Silver badge

        It is part of MS Office Pro and above, Visual Studio and its components and any applications written in Visual Studio / Access and deployed using an installer.

        It has been around for over 20 years, so it would be interesting to have a little more information about which versions are vulnerable.

        That any version of Windows on which the Jet Engine has been installed is vulnerable isn't surprising. The same is true of a Word, Firefox, Chrome, SAP, Oracle etc. zero day, they would also affect all supported versions of Windows (and mac OS, Linux etc.) that they were installed on.

    2. FIA Silver badge

      I was under the impression that the Jet database engine was deployed with the Windows operating system and has been for years.

      Yup. It's part of MDAC which has been part of windows since Windows 2000.

    3. Anonymous Coward
      Anonymous Coward

      All supported Windows versions are affected, free micropatches are available

      Geoffrey, you are right - the vulnerable Jet Engine is present on ALL Windows computers from Windows 7 and Server 2008 upwards, and can be exploited on all of them. It doesn't matter if you're using it or not. On a bit of an upside, it's harder to exploit this issue on a 64bit Windows, and - in case the attack vector is an Office document - via 64bit Office. I have published some more details in this Twitter thread: https://twitter.com/mkolsek/status/1042820055686365184

      Further good news is that we have created two micropatches (just 21 bytes each) for this issue that anyone can freely apply by downloading and installing 0patch Agent from https://0patch.com, and creating a free account. More information here: https://twitter.com/0patch/status/1043135305547763712

      Mitja Kolsek

      ACROS Security / 0patch

      1. diodesign (Written by Reg staff) Silver badge

        Re: Kolsek

        Thanks - I've added an update.

        C.

    4. GidaBrasti
      Holmes

      "... I'd like to mitigate... ..."

      Install Linux then!

      Geez, I'can't believe I'm the first to suggest it

      1. Anonymous Coward
        Anonymous Coward

        So no database engine exploits on Linux ever?

        1. Remy Redert

          No database engine exploits on databases that are installed with the OS and can't be removed, no.

  4. hplasm
    Happy

    Access

    "One of our clients has an Access DB for something horrible"

    All Access DBs are something horrible.

    1. Korev Silver badge

      Re: Access

      You have to admit that they're a step above having a "database" in Excel.

      1. Deckard_C

        Re: Access

        Ah yes where someone sorts just one column or overwrites whole chunk of the sheet or all that inconsistently entered data..... I'll just go and sit down now somewhere quite.

    2. Deckard_C

      Re: Access

      Been responsaible for some of those in my foolish youth, they still haunt me. Can be fairly reliable if you only let one person in the database at a time.

  5. Tom 38
    WTF?

    it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file

    So this "remote code vulnerability" can only be exploited by tricking the victim into opening a local file? How the fuck is that "remote"?

    1. Remy Redert

      Because that local file can be downloaded and opened by executing javascript. In fact, that seems to be the preferred method, since the target Jet needs to be 32-bit and a lot of people are still using 32-bit browsers, which will call the 32-bit Jet to handle a Jet file it's been tricked into executing.

      The mitigation is to run only 64-bit applications and to not execute Javascript from untrusted sources.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like