The Channel logo

News

By | Kelly Fiveash 26th March 2008 15:13

Attackers hose down Microsoft's Jet DB Engine

Cabbages decided no patch needed

Microsoft has admitted that it was first aware of bugs in its Jet Database Engine way back in 2005, but decided not to patch the problems because the software giant thought it had blocked the attack vectors.

Mike Reavey, a member of the firm’s security team, said on a blog post late Monday that Microsoft had been told by independent researchers about two separate issues in Jet database files, which use the file extension .mdb, in 2005 and 2007.

The firm, perhaps somewhat naively, decided at the time not to issue a security bulletin to its customers. It didn’t disclose the information because .mdb files are already on the unsafe file type list, are blocked from being opened on Outlook and are usually removed from incoming email by Exchange.

Or, as Reavey puts it: “Any attempt to attack customers using these issues was heavily mitigated by the blocking.”

Sadly for Microsoft, attackers have worked out how to circumnavigate Outlook's automatic block by loading an .mdb file through a Word document. Reavey explains in his post that the security flaw could occur when a person saves two .doc files and opens one of them.

“So that’s why we alerted customers to these attacks and are re-investigating Jet parsing flaws," said Reavey. "This is a new attack vector discovered that we didn’t know about previously."

But, despite the fact that hackers have found a way of planting malicious code in .mdb files via Microsoft’s Word application, the company’s security team is still working out whether or not to patch the vulnerability.

One option could be to put up more barriers instead, such as blocking Word from automatically loading .mdb files. The team is also considering replacing the edition of Jet in Windows 2000, XP and Server 2003 SP1 with a newer version, which is already built into Vista and Server 2003 SP2.

Reavey said that .mdb files will “always present attackers an opportunity to run code” and for that reason files for Jet Database Engine, which is a Windows component that provides data access to apps including Access and Visual Basic, will remain on the unsafe file type list.

He added that while the team continues to scratch their heads over the security flaw, customers should never automatically open a .mdb file “received unexpectedly”. ®

comment icon Read 14 comments on this article alert Send corrections

Opinion

Chris Mellor

Drives nails forged with Red Hat iron into VCE's coffin
Sleep Cycle iOS app screenshot

Trevor Pott

Forget big-spending globo biz: it's about the consumer... and he's desperate for a nap
Steve Bennet, ex-Symantec CEO

Chris Mellor

Enormo security firm needs to get serious about acquisitions

Features

Windows 8.1 Update  Storeapps Taskbar
Chinese Buffet self-service
Chopping down the phone tree to scrump low-hanging fruit
An original member of the System/360 family announced in 1964, the Model 50 was the most powerful unit in the medium price range.
Big Blue's big $5bn bet adjusted, modified, reduced, back for more
Microsoft CEO Satya Nadella
Redmond needs to discover the mathematics of trust