A security researcher using the pseudonym cocoruder recently reported a stack overflow vulnerability in the way Microsoft® JET Engine parses MDB files. According to cocoruder, a remote attacker can exploit the vulnerability in order to execute arbitrary code on the affected system. This apparently would require that the victim runs a specially crafted MDB file. This could be facilitated, for example, by emailing the file, or by placing it on a web server - particularly easy for an attacker within the target organization.
A proof of concept exploit has been published.
The initial report only mentioned one Microsoft Access™ version as vulnerable. However, a Securityfocus article lists a number of JET, Access and Microsoft Excel® versions.
According to cocoruder, Microsoft Corporation (Nasdaq: MSFT) had, prior to the vulnerability’s public disclosure, given him the following answer:
You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330
Considering that MDB is the default file format for most Microsoft Access versions in existence, the response is a copout of the worst kind. Sure, whenever an MDB file is opened in Access, a warning pops up, but what does Microsoft honestly expect the average corporate user to do, when he is handcuffed into using their “unsafe” Access anyway? It’s like selling cars that pop up a “will explode if driven” warning as you put the gear into D.
What do you think? Please leave your comment!
External links:
- “Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability” (ruder.cdut.net)
- “An overview of unsafe file types in Microsoft products” (support.microsoft.com)
- “Microsoft Jet DataBase Engine MDB File Parsing Remote Buffer Overflow Vulnerability” (www.securityfocus.com)
Post a Comment