Microsoft JET vulnerability still open to attacks, despite recent patch
A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.
Security
The vulnerability came to light in mid-September after the Trend Micro Zero-Day Initiative (ZDI) posted details about it on its site.
ZDI said Microsoft had failed to patch the flaw in due time and they decided to make the issue public, so users and companies could take actions to protect themselves against any exploitation attempts.
The vulnerability, which was a zero-day at the time of its disclosure, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target.
Also: Should you upgrade to Windows 10 October 2018 Update? CNET
The JET engine was one of Microsoft's first forays in database technologies. It was developed in the 90s and has been used to power various Microsoft apps, with the most recognizable names being Access, Visual Basic, Microsoft Project, and IIS 3.0.
JET has been deprecated and replaced by newer technologies in the meantime, but it is still included with Windows for legacy purpose.
Information security experts criticized Microsoft for failing to patch the vulnerability, mainly because it allowed a remote full compromise of the user's system.
They also remembered that Microsoft was also late to patch a flaw in another legacy product last year --Office's legacy Equation Editor app-- which became one of the most heavily exploited vulnerabilities in the past year.
Fortunately, Microsoft did see the problem with leaving the JET zero-day unpatched in the end and shipped an update this past Tuesday.
But according to Mitja Kolsek, co-founder of 0patch, Microsoft's recent JET patch is incomplete, and an attacker can still exploit the original vulnerability.
"At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it," Kolsek said. "We promptly notified Microsoft about it and will not reveal further details or proof-of-concept until they issue a correct fix."
Also: Windows 10: A cheat sheet TechRepublic
0Patch, who released a so-called custom "micro-patch" for the JET zero-day when it came out, released another micro-patch today until Microsoft corrects its original JET fix.
The good news is that until now, neither Microsoft nor 0Patch have seen hackers trying to exploit this vulnerability.
Furthermore, to exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file, meaning attacks can't be automated at scale, and social engineering is still required to trick the user into opening a malicious file.
In Memoriam: All the consumer products Microsoft has killed off
Previous and related coverage:
How to install, reinstall, upgrade and activate Windows 10
After Windows 10 upgrade, do these seven things immediately
How to upgrade from Windows 10 Home to Pro for free
Related stories:
- A mysterious grey-hat is patching people's outdated MikroTik routers
- Proof-of-concept code published for Microsoft Edge remote code execution bug
- WhatsApp fixes bug that let hackers take over app when answering a video call
- These popular Android phones came with vulnerabilities pre-installed CNET
- Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs
- Microsoft Windows zero-day vulnerability disclosed through Twitter TechRepublic
- Some Apple laptops shipped with Intel chips in "manufacturing mode"