MS-ISAC ADVISORY NUMBER:
2008-018

DATE(S) ISSUED:
5/18/2008

SUBJECT:
Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in the Microsoft Jet Database Engine that could allow a remote attacker to take complete control of an affected system.

Please note that this vulnerability is being actively exploited. The Microsoft Jet Database Engine allows programs to access information in a Microsoft database. This vulnerability can be exploited if a user opens a malicious Word file. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the application. This can result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. This could lead to complete control of the compromised system. Failed exploits could lead to a denial of service condition.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2
  • Windows XP Professional x64 Edition
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 x64 Edition
  • Windows Server 2003 with SP1 for Itanium-based Systems

RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users: High

DESCRIPTION:
The Microsoft Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Microsoft Jet Database Engine can also be used by Internet applications that require database functionality. This vulnerability is caused by the Microsoft Jet Database Engine not performing sufficient validation of a data structure. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Microsoft Jet Database Engine on an affected system. Possible attack vectors include a malformed MDB file or a Word file that contains a malformed MDB object delivered as an email attachment or hosted on a web site.

An attacker who successfully exploits an affected system could execute arbitrary code in the context of the application which can lead to complete control of the system. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. Failed attempts will result in a denial of service.

This vulnerability is actively being exploited on the Internet.

RECOMMENDATIONS:
We recommend that the following actions be taken:

  • Apply the appropriate patches to vulnerable systems as soon as possible, after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or un-trusted sources.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS08-028.mspx(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026(New Window)

Secunia:
http://secunia.com/advisories/14896/(New Window)

Security Focus:
http://www.securityfocus.com/bid/26468/(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.