180 days ?
It's fun to see Microsoft revert back to it's old, insecure ways.
The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available. The bug, reported to …
From the article : "The other good news is that the Jet database engine is not terribly well deployed"
I was under the impression that the Jet database engine was deployed with the Windows operating system and has been for years. If that's not terribly well deployed then what is?
Am I wrong? Or is this a bug in some external layer to the Jet database engine, such as DAO, or something else, or whatever? Please tell me...I'd like to mitigate...
Yeah, but that's just in Access, isn't it? In which case it's only Office Pro.
Let's be honest, most applications that have been updated in the past 10 years will be hitting SQL Express for the back-end database. Or at least all the ones I've seen.
Edit - I lied. One of our clients has an Access DB for something horrible. But just one. And we don't talk about it.
For consumer desktop applications, you don't want to be installing SQL server.
Really? It's only SQL Express, the freebie one. I've seen it on all sorts of desktop applications, for well over ten years. Worked with a mortgage adviser once who had 3 different instances of SQL Express on his desktop because different applications were hard-coded to these instance names. Would have helped him a lot to have one instance and three databases...
It is part of MS Office Pro and above, Visual Studio and its components and any applications written in Visual Studio / Access and deployed using an installer.
It has been around for over 20 years, so it would be interesting to have a little more information about which versions are vulnerable.
That any version of Windows on which the Jet Engine has been installed is vulnerable isn't surprising. The same is true of a Word, Firefox, Chrome, SAP, Oracle etc. zero day, they would also affect all supported versions of Windows (and mac OS, Linux etc.) that they were installed on.
Geoffrey, you are right - the vulnerable Jet Engine is present on ALL Windows computers from Windows 7 and Server 2008 upwards, and can be exploited on all of them. It doesn't matter if you're using it or not. On a bit of an upside, it's harder to exploit this issue on a 64bit Windows, and - in case the attack vector is an Office document - via 64bit Office. I have published some more details in this Twitter thread: https://twitter.com/mkolsek/status/1042820055686365184
Further good news is that we have created two micropatches (just 21 bytes each) for this issue that anyone can freely apply by downloading and installing 0patch Agent from https://0patch.com, and creating a free account. More information here: https://twitter.com/0patch/status/1043135305547763712
Mitja Kolsek
ACROS Security / 0patch
it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file
So this "remote code vulnerability" can only be exploited by tricking the victim into opening a local file? How the fuck is that "remote"?
Because that local file can be downloaded and opened by executing javascript. In fact, that seems to be the preferred method, since the target Jet needs to be 32-bit and a lot of people are still using 32-bit browsers, which will call the 32-bit Jet to handle a Jet file it's been tricked into executing.
The mitigation is to run only 64-bit applications and to not execute Javascript from untrusted sources.