Zero-Day RCE Flaw Found in Microsoft JET Database Engine
Trend Micro’s Zero Day Initiative (ZDI) team has publicly disclosed a serious remote code execution vulnerability in the Microsoft JET Database engine which is used by several Microsoft products.
ZDI decided to disclose the flaw even though there’s currently no patch for it because Microsoft exceeded the standard 120-day deadline that ZDI gives vendors to fix reported flaws. The team reported the vulnerability to Microsoft May 8.
The vulnerability is an out-of-bounds (OOB) write in the JET Database Engine, which is bundled with Windows and is used by several Microsoft products, including Microsoft Office.
“An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file,” ZDI said in a report.
The team tested the vulnerability successfully on a fully patched Windows 7 system but believes that all supported versions of Windows, including the server editions, are affected.
Microsoft patched two other vulnerabilities in the JET engine this month. Those were buffer overflows that affected all Windows versions and could be exploited by tricking users into opening specially crafted Excel files.
Similarly, this new vulnerability can be exploited by opening a file that calls a specially crafted Jet data source via the Object Linking and Embedding Database (OLEDB) API.
In addition to a security advisory and a blog post, ZDI also published proof-of-concept exploit code for the vulnerability on GitHub.
“Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release,” the ZDI team said. “In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources.”
Security firm ACROS Security released free unofficial micropatches for this vulnerability through its 0patch.com service. The micropatches can be applied to 32-bit and 64-bit versions of Windows 10, Windows 8.1, Windows 7 and Windows Server 2008 to 2016.
This is the second time a Windows vulnerability has been publicly disclosed as a zero-day—no patch available—in recent months. The other flaw, a privilege escalation issue in the Windows Task Scheduler, was adopted by hackers very soon after disclosure, so there’s a possibility that attackers on jump on this new vulnerability too.
Cisco Fixes Remote Code Execution Flaws in Webex Network Recording Player
Cisco Systems has released a new patch for its Webex Network Recording Player for Advanced Recording Format (ARF) to fix multiple high-rated vulnerabilities that could allow attackers to execute arbitrary code on affected systems.
“The vulnerabilities are due to improper validation of Webex recording files,” Cisco said in its advisory. “An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a malicious file and persuading the user to open the file in the Cisco Webex Player.”
The company advises users to update to Webex Network Recording Player version WBS32.15.10 for Cisco Webex Meetings Suite (WBS32), Webex Network Recording Player version WBS33.3 for Cisco Webex Meetings Suite (WBS33), Webex Network Recording Player version 1.3.37 for Cisco Webex Meetings Online and Webex Network Recording Player versions prior to 3.0MR2 for Cisco Webex Meetings Server.
This is not the first time when Cisco fixes serious flaws in its Webex Network Recording Player that can lead to arbitrary code execution, so unless the Player is needed on an ongoing basis, users should probably consider uninstalling it. The software can be installed back anytime it’s needed for legitimate purposes.
