Trend Micro's Zero Day Initiative (ZDI) team disclosed a still-unpatched remote code execution vulnerability in Microsoft's JET Database Engine yesterday, claiming the software giant failed to fix the flaw within its 120-day disclosure window.
Discovered by Trend Micro researcher Lucas Leong, the zero-day bug is an out-of-bounds write issue pertaining to the management of indexes within the engine. "Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process," ZDI explains in a blog post and accompanying security advisory."
ZDI claims it privately reported the issue to Microsoft last May 8, but four months later on Sept. 9, Microsoft replied that the fix might not be ready in time for Patch Tuesday. Indeed, two days later on Sept. 11, Microsoft released an update for JET that included two patches for buffer overflows, but nothing for the out-of-bounds write bug.
Until the bug is adequately remedied, ZDI recommends that JET users only open trusted files.
The researchers believe all supported versions of Windows, including server editions, are affected, although the problem was confirmed only in Windows 7.
“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible," said Jeff Jones, Microsoft senior director, in an email response to SC Media. "To help ensure we are delivering high-quality security updates for our customers, we extensively test each bulletin prior to release. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”