14 DAY TRIAL // Detailed information about a still-unpatched zero-day vulnerability in Microsoft's JET Database Engine has been released by Trend Micro's Zero Day Initiative (ZDI ) after the 120-day disclosure limit passed.
As explained by ZDI, the zero-day vulnerability found in Microsoft Windows Jet Database Engine's could allow attackers to remotely execute code on any vulnerable installation of the software.
The flaw the research team found is present within JET Database Engine's management of indexes, and it can be exploited by thread actors via a specially crafted JET database file designed to provoke an out-out-bounds write leading to remote execution of code.
Fortunately, attackers cannot exploit the vulnerability without user interaction because a successful exploit needs to have the malicious database file as a starting point, and this is something that bad actors cannot automate.
Microsoft has previously patched two buffer overflow bugs in September (i.e., CVE-2018-8392 and CVE-2018-8393), but it has yet to introduce a patch for the remote code execution vulnerability discovered by ZDI.
The vulnerability has been publicly disclosed after the 120-day disclosure timeline expired
Trend Micro's Zero Day Initiative initially reported the zero-day RCE vulnerability on May 8 and got a reply confirming that Microsoft has successfully been able to reproduce the issue on May 14.
However, Microsoft delayed a patch because of internal issues, and after ZDI alerted them of the vulnerability's zero-day potential on September 10, the security research team publicly released an advisory on September 20.
"Our investigation has confirmed this vulnerability exists in Windows 7, but we believe that all supported Windows version are impacted by this bug, including server editions," stated ZDI's Simon Zuckerbraun.
As mitigation suggestions, Trend Micro recommends all users who might be affected to only use files you receive from trusted sources.
ZDI also mentions that Microsoft is working on a patch to address the issue which could be included in Redmond's October patch release.