Trend Micro has disclosed a new Microsoft Jet vulnerability which is still unpatched. The vulnerability impacts all the supported Windows OS and Server editions.
The Trend Micro’s Zero Day initiative works by identifying bugs and reporting them to the software vendors which a time frame to fix it. The time frame is usually set to 120 days before the vulnerability is publicly disclosed. The group reported the vulnerability to Microsoft on 8th May and gave them 120 days to fix it following which the vulnerability was made public. The group also shared the Proof of Concept (PoC) on GitHub with the details related to the vulnerability.
The vulnerability is an Out-of-Bound write flaw which can be triggered by opening a Jet source via a Microsoft component known as Object Linking and Embedding Database (OLEDB).
The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer.
– Trend Micro
Microsoft has accepted the vulnerability and is expected to roll out a fix in October. Meanwhile, 0patch has confirmed a micropatch for Windows 7 users.
7 hours after @thezdi has published details on this unpatched remotely exploitable vulnerability in Jet Database Engine, we have a micropatch candidate on Windows 7. More on this vulnerability and our micropatch soon. https://t.co/cSuIf5nubp
— 0patch (@0patch) September 20, 2018
For now, Trend Micro recommends not to open any attachments from untrusted sources which might contain a malicious code. Security Research Lucas Leong has been credited with the discovery of the vulnerability.