Microsoft’s JET Vulnerability Patch Incomplete, Researchers Say

The patch released by Microsoft last week for a zero-day flaw in the JET database engine is incomplete and does not fully address the issue, according to a vulnerability research firm.

The flaw, tracked as CVE-2018-8423, was disclosed Sept. 20 through Trend Micro’s Zero Day Initiative (ZDI) program, after Microsoft failed to release a patch before the program’s 120-day disclosure deadline expired.

The vulnerability affects the JET database engine, a technology that’s included in all supported Windows versions for compatibility reasons because it was used in the past by several Microsoft products, including Microsoft Access. Exploiting the flaw requires user interaction, such as opening a file sent via email, but could lead to a full compromise of the vulnerable system.

When it was made public, the vulnerability was accompanied by proof-of-concept exploit code and had a zero-day status—no patch was available for it. Researchers from vulnerability research firm ACROS Security released a so-called micropatch through its service.

Micropatches are applied with the help of a locally installed agent and modify vulnerable processes directly in memory to prevent known vulnerabilities. This process doesn’t require a system or process restart and can be reversed easily without causing damage to actual files.

After Microsoft released its own official patch for CVE-2018-8423 last Tuesday, the 0patch team reverse-engineered it out of curiosity to compare it with their own micropatch.

“At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it,” Mitja Kolsek, a researcher with ACROS’ 0patch Team, said in a blog post. “We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”

Meanwhile, ACROS released a new free micropatch that can be applied to the new version of msrd3x40.dll, the vulnerable file patched by Microsoft. The new micropatch is officially available for 32-bit and 64-bit versions of Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, but the ACROS researchers believe it might work on all affected Windows versions.

Users who already deployed the company’s old micropatch for CVE-2018-8423 and haven’t yet deployed Microsoft’s official fix don’t have to do anything, as they are still protected, Kolsek said.

History has shown that attackers are quick to adopt new vulnerabilities, especially when they are disclosed with working proof-of-concept (PoC) code that can be weaponized quickly.

PoC Exploit Available for Microsoft Edge Remote Code Execution Flaw

PoC exploit code has also become available for a different remote code execution vulnerability patched in Windows last week.

That flaw, tracked as CVE-2018-8495, stems from how the Windows Shell handles URIs and can be exploited when a specifically crafted web page is opened in Microsoft Edge. The vulnerability was discovered and was reported to Microsoft through the ZDI program by a researcher named Abdulrahman Al-Qabandi.

Following the flaw’s patching last Tuesday, Al-Qabandi published a blog post in which he details how the vulnerability works and which includes proof-of-concept exploit code.

In addition to CVE-2018-8423 and CVE-2018-8495, attackers also have knowledge of a third vulnerability—a privilege escalation vulnerability in the Windows Win32k component that’s tracked as CVE-2018-8453.

In fact, this vulnerability was reported to Microsoft by researchers from Kaspersky Lab, who found it being used in targeted attacks in the Middle East by an APT group called FruityArmor. The group uses it to gain system privileges on targeted systems to deploy a PowerShell-based backdoor.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin