The Channel logo

News

By | Kelly Fiveash 26th March 2008 15:13

Attackers hose down Microsoft's Jet DB Engine

Cabbages decided no patch needed

Microsoft has admitted that it was first aware of bugs in its Jet Database Engine way back in 2005, but decided not to patch the problems because the software giant thought it had blocked the attack vectors.

Mike Reavey, a member of the firm’s security team, said on a blog post late Monday that Microsoft had been told by independent researchers about two separate issues in Jet database files, which use the file extension .mdb, in 2005 and 2007.

The firm, perhaps somewhat naively, decided at the time not to issue a security bulletin to its customers. It didn’t disclose the information because .mdb files are already on the unsafe file type list, are blocked from being opened on Outlook and are usually removed from incoming email by Exchange.

Or, as Reavey puts it: “Any attempt to attack customers using these issues was heavily mitigated by the blocking.”

Sadly for Microsoft, attackers have worked out how to circumnavigate Outlook's automatic block by loading an .mdb file through a Word document. Reavey explains in his post that the security flaw could occur when a person saves two .doc files and opens one of them.

“So that’s why we alerted customers to these attacks and are re-investigating Jet parsing flaws," said Reavey. "This is a new attack vector discovered that we didn’t know about previously."

But, despite the fact that hackers have found a way of planting malicious code in .mdb files via Microsoft’s Word application, the company’s security team is still working out whether or not to patch the vulnerability.

One option could be to put up more barriers instead, such as blocking Word from automatically loading .mdb files. The team is also considering replacing the edition of Jet in Windows 2000, XP and Server 2003 SP1 with a newer version, which is already built into Vista and Server 2003 SP2.

Reavey said that .mdb files will “always present attackers an opportunity to run code” and for that reason files for Jet Database Engine, which is a Windows component that provides data access to apps including Access and Visual Basic, will remain on the unsafe file type list.

He added that while the team continues to scratch their heads over the security flaw, customers should never automatically open a .mdb file “received unexpectedly”. ®

comment icon Read 14 comments on this article alert Send corrections

Opinion

Memristor_wafer

Chris Mellor

Execution warrant close to being signed for Fink's folly
Woman cuddles 'sly-looking' Fennec fox. Photo by Shutterstock
Cartoon of employee asking wky boss makes hium wear suspenders (while pincer through open trapdoor remains poised above his head) illustration by Cartoon resource for Shutterstock

Frank Jennings

It's not like my boss painstakingly nurtured the contacts, right?

Features

Girl and computer, photo via Shutterstock
Middle-class terror of engineering also part of problem
Nerd fail photo via Shutterstock
Shouting match
Single market vs. rest of the world