Microsoft Database Bug Goes Unpatched - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
4/13/2005
01:53 PM
50%
50%

Microsoft Database Bug Goes Unpatched

A bug in Microsoft's Jet Database Engine exposes data in the Redmond, Wash.-based company's Access database software, security firm Secunia said Tuesday, the same day Microsoft released a slew of vulnerability warnings for Windows, Office, Exchange and MSN Messenger.

A bug in Microsoft's Jet Database Engine exposes data in the Redmond, Wash.-based company's Access database software, security firm Secunia said Tuesday, the same day Microsoft released a slew of vulnerability warnings for Windows, Office, Exchange and MSN Messenger.

A fix for the new Jet bug, however, was missing from Tuesday's patch parade.

Secunia, which labeled the vulnerability as "highly critical," said that a parsing problem in the engine -- which provides access to applications such as Access, Microsoft Visual Basic, and other, third-party apps -- could be used by attackers to gain complete control of a targeted PC.

"This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access," Secunia said in its alert.

Exploit code is out and about, added Secunia, which noted that the code has been posted to a public mailing list. The vulnerability exists in the most recent version of Access 2003 -- included in some versions of Office 2003 -- and even impacts users running Windows XP SP2, said Secunia.

"Microsoft is currently investigating these new public reports of a possible vulnerability in Microsoft Office and we have been made aware that exploit code for this vulnerability has been released," said a company spokesperson. Microsoft went on to say that it's not aware of any active attacks using the exploit code, but it "will continue to aggressively investigate the reports."

The company wouldn't commit to a timeline for producing a patch, and as is its custom, stated that it would "take the appropriate action, which may including providing a fix through our monthly release process or an out-of-cycle security update."

According to Secunia, the original disclosure of the vulnerability came from a group called HexView, which said that it had notified Microsoft of the bug on March 30. HexView's policy, which is to give vendors as little as 24 hours notice before going public with a flaw, is certainly at odds with Microsoft, which in the past has slammed security researchers for announcing vulnerabilities before a patch is available.

Microsoft didn't shy away from blasting HexView, again with a now-standard response from a spokesperson, who said "Microsoft is concerned that this new report of a vulnerability in Microsoft Office was not disclosed responsibly, potentially putting computer users at risk."

Microsoft released eight security bulletins Tuesday that included 18 vulnerabilities, 7 of which were marked as "critical," but none addressed the bug in Jet.

This isn't the first time the Jet Database Engine has been singled out by attackers. Last year, Microsoft patched Jet against a different bug in its MS04-014 bulletin.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll