Security researchers from the Zero Day Initiative (ZDI) have found a vulnerability in the Microsoft Jet Database Engine. The vulnerability allows hackers to make use of remote code execution. This means that code can be executed remotely. That’s what ITPro reports.
The Microsoft Jet Database Engine is an underlying component of a database. It is a collection of information that is systematically stored on the computer. It is the foundation of many of Microsoft’s products, including Office’s products.
“An attacker can use this vulnerability to execute code in the context of the current process,” says Simon Zuckerbraun, security researcher at ZDI. “This requires user interaction, as the target has to open a rogue file.”
The vulnerability affects all supported Windows versions, including the server versions. The vulnerability can be caused by opening a Jet source via a Microsoft component called Object Linking and Embedding Database (OLEDB).
“A user must open a specially created file containing data in the JET database format,” says Zuckerbraun. “Several applications use this database format. An attacker who uses it could execute code at the level of the current process.”
October update
Microsoft was notified of the vulnerability in May and was able to reproduce the error quickly. The ZDI gave the company 120 days to solve the problem before they made the information public. Although the company has solved two other errors in Jet in its last Patch Tuesday, this error has not yet been resolved. This may not happen until the October update.
The ZDI states that given the nature of the vulnerability, “the only strategy to prevent it is to restrict interaction with the application to trusted files”.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.