A remote code execution vulnerability impacting the Microsoft Jet Database Engine has been disclosed by Trend Micro.
The bug, which is thought to impact “all supported Windows version[s], including server editions,” is unpatched at the time of writing.
The Trend Micro Zero Day Initiative enforces a set time limit after notifying vendors of serious security issues. The group permits 120 days to resolve a vulnerability before public disclosure.
Microsoft has exceeded this deadline.
The vulnerability is an out-of-bounds (OOB) write flaw which can be triggered by opening a Jet source via a Microsoft component known as Object Linking and Embedding Database (OLEDB).
“The specific flaw exists within the management of indexes in the Jet database engine,” the security researchers say. “Crafted data in a database file can trigger a write past the end of an allocated buffer.”
TechRepublic: 8 best practices for managing software patches
If exploited, the security flaw could lead to remote code execution in the context of the current user.
However, the saving grace of this vulnerability is that in order to trigger an exploit, user interaction is required through the opening of a crafted, malicious file containing Jet database information.
Proof-of-concept (PoC) code has been made public on GitHub.
The vulnerability was reported to Microsoft on May 8. While Microsoft resolved two separate buffer overflow bugs impacting Jet in the latest Microsoft…