Google researchers have disclosed a zero-day vulnerability in the Microsoft Jet Database Engine. The flaw allows for remote code execution and is thought to affect all supported Windows versions.
According to Trend Micro, that includes Windows Server versions, making it potentially very dangerous. Thankfully, attackers must open a malicious JET file to trigger the flaw, limiting its reach somewhat.
“The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB,” explains the company’s researchers.
The JET database format is somewhat common, so users could be tricked into opening the file in the right circumstances. Once activated, the attacker would be able to execute code at “the level of the current process”.
Researchers often try to co-operate with the affected company before publishing Zero-Day exploits, and that seems to be the case here. However, like Google, Trend Micro’s Zero Day Initiative has a limit on its patience.
To prevent companies from becoming lazy, Trend Micro sets a countdown of 120 days. That’s kinder than Google’s 90 days, and it’s surprising that Microsoft hasn’t patched the issue yet.
Still, Trend Micro’s Simon Zuckerbraun has confirmed that the tech giant is working on the issue, and we can expect a fix soon. In the meantime, users should probably be cautious about the Microsoft Jet files they open.