The Channel logo

News

By | Kelly Fiveash 26th March 2008 15:13

Attackers hose down Microsoft's Jet DB Engine

Cabbages decided no patch needed

Microsoft has admitted that it was first aware of bugs in its Jet Database Engine way back in 2005, but decided not to patch the problems because the software giant thought it had blocked the attack vectors.

Mike Reavey, a member of the firm’s security team, said on a blog post late Monday that Microsoft had been told by independent researchers about two separate issues in Jet database files, which use the file extension .mdb, in 2005 and 2007.

The firm, perhaps somewhat naively, decided at the time not to issue a security bulletin to its customers. It didn’t disclose the information because .mdb files are already on the unsafe file type list, are blocked from being opened on Outlook and are usually removed from incoming email by Exchange.

Or, as Reavey puts it: “Any attempt to attack customers using these issues was heavily mitigated by the blocking.”

Sadly for Microsoft, attackers have worked out how to circumnavigate Outlook's automatic block by loading an .mdb file through a Word document. Reavey explains in his post that the security flaw could occur when a person saves two .doc files and opens one of them.

“So that’s why we alerted customers to these attacks and are re-investigating Jet parsing flaws," said Reavey. "This is a new attack vector discovered that we didn’t know about previously."

But, despite the fact that hackers have found a way of planting malicious code in .mdb files via Microsoft’s Word application, the company’s security team is still working out whether or not to patch the vulnerability.

One option could be to put up more barriers instead, such as blocking Word from automatically loading .mdb files. The team is also considering replacing the edition of Jet in Windows 2000, XP and Server 2003 SP1 with a newer version, which is already built into Vista and Server 2003 SP2.

Reavey said that .mdb files will “always present attackers an opportunity to run code” and for that reason files for Jet Database Engine, which is a Windows component that provides data access to apps including Access and Visual Basic, will remain on the unsafe file type list.

He added that while the team continues to scratch their heads over the security flaw, customers should never automatically open a .mdb file “received unexpectedly”. ®

comment icon Read 14 comments on this article alert Send corrections

Opinion

frustration_anger_irritation_annoyance pain

Felipe Costa

Pressure to perform for stock market bearing down on disties
Columns of coins in the cloud

Michael Cote

Anything that simple to use has got to be complex to set up
Internet of Things

Gavin Clarke

This time, Larry's Oracle is going after the networking giants

Features

No email? No CRM? No Daily Mail iPad edition? You need a plan
Sinofsky's hybrid strategy looks dafter than ever
Failure to crack next-gen semiconductors threatens to set back humanity
SMEs get lip service - what they need is dinner at the Club