Trend Micro Security Research team disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows including servers

Mar 15, 2019
Posted by
GIS Consulting 110

Microsoft’s lack of action has compelled Lucas Leong who works as a researcher in Trend Micro Security Research team to reveal details of zero-day vulnerability applicable to all Windows versions including servers. The vulnerability involves the Microsoft JET Database Engine, which is integrated in products such as Microsoft Access and Visual Basic.

According to an advisory released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution. An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.

Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process,” Trend Micro’s Zero Day Initiative wrote in its blog post.

“Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.

According to the ZDI researchers, the vulnerability exists in all supported Windows variations, together with Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016.

ZDI reported the vulnerability to Microsoft on May 8, and the tech big confirmed the bug on 14 May, however, did not patch the vulnerability and launch an replace inside a 120-day (four months) deadline, making ZDI go public with the vulnerability particulars.

Proof-of-concept exploit code for the vulnerability has additionally been printed by the Trend Micro its GitHub web page.

Microsoft is engaged on a patch for the vulnerability, and because it was not included in September Patch Tuesday, you’ll be able to anticipate the repair in Microsoft’s October patch launch.
Trend Micro recommends all affected customers to “restrict interaction with the application to trusted files,” as mitigation till Microsoft comes up with a patch.