The patch Microsoft released for JET vulnerability does not seem to be complete. The vulnerability still seems to exist in the JET database engine. That while Microsoft thought it had closed the gap at Patch Tuesday last week.
The vulnerability came to light sometime in mid-September when the Trend Micro Zero-Day Initiative (ZDI) wrote details about it on its website. The ZDI stated that Microsoft had not been able to close the gap in time and had therefore decided to make the problems public. According to the logic of the ZDI, users and companies would then be able to take action to protect themselves against hacking attempts.
The vulnerability caused a lot of worries, mainly because the JET database engine can be found in all versions of Windows. Hackers therefore have a great deal of potential in terms of victims at their disposal. Security experts are highly critical of Microsoft and its failure to release a patch quickly enough. According to connoisseurs, this is particularly annoying because the leak makes it possible for hackers to fully take over a user’s system.
It is not the first time that Microsoft came up late with the patch for a vulnerability found in a legacy product. The same thing happened earlier with the Equation Editor app within Office. This was one of the biggest and most exploited vulnerabilities in Microsoft software last year.
Patch does not work
The JET engine is one of Microsoft’s first attempts to develop database technology and was released in the 1990s. It was used to power a few Microsoft apps, including Access, Visual Basic and IIS 3.0. The system was replaced by newer techniques a long time ago, but Microsoft always allows it to exist as a legacy product.
Last Patch Tuesday, Microsoft fortunately released a patch for the problems. But according to Mitja Kolsek, co-founder of 0patch, this is not complete and attackers can still exploit the original vulnerability. For this reason, it releases a new micropatch to prevent the problems from being exploited. We have informed Microsoft about the problems and will not release any new details until a patch has been released, says Kolsek.
There would have been no attempts by hackers to actually exploit the vulnerability.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.