Network Security, Vulnerability Management

Report: Microsoft misses disclosure deadline to patch RCE bug in JET

Trend Micro's Zero Day Initiative (ZDI) team disclosed a still-unpatched remote code execution vulnerability in Microsoft's JET Database Engine yesterday, claiming the software giant failed to fix the flaw within its 120-day disclosure window.

Discovered by Trend Micro researcher Lucas Leong, the zero-day bug is an out-of-bounds write issue pertaining to the management of indexes within the engine. "Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process," ZDI explains in a blog post and accompanying security advisory." 

ZDI claims it privately reported the issue to Microsoft last May 8, but four months later on Sept. 9, Microsoft replied that the fix might not be ready in time for Patch Tuesday. Indeed, two days later on Sept. 11, Microsoft released an update for JET that included two patches for buffer overflows, but nothing for the out-of-bounds write bug.

Until the bug is adequately remedied, ZDI recommends that JET users only open trusted files.

The researchers believe all supported versions of Windows, including server editions, are affected, although the problem was confirmed only in Windows 7.

“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible," said Jeff Jones, Microsoft senior director, in an email response to SC Media. "To help ensure we are delivering high-quality security updates for our customers, we extensively test each bulletin prior to release. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.