A zero day vulnerability in the Microsoft Windows Jet Database Engine has been disclosed by TrendMicro’s Zero Day Initiative even though a security update is not currently available from Microsoft.
This vulnerability was discovered by Lucas Leong of the Trend Micro Security Research team and could allow attackers to perform remote code execution on a vulnerable machine. To initiate this attack, a specially crafted Jet database file would need to be opened, which would then perform an out-of-bounds write to the program’s memory buffer. This would then lead to remote code execution on the targeted Windows computer.
This vulnerability has been assigned the ZDI-18-1075 ID and is stated to affect “Windows”. It is not known if all versions of Windows are affected by this vulnerability.
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.”
As Microsoft has not released a security update for this vulnerability, the disclosure states that the only way to prevent this attack is to only open trusted Jet database files.
“Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the…