A Microsoft Zero-day vulnerability that existing in Microsoft JET Database Engine has been crossed zero-day Initiative (ZDI) 120 days disclosure deadline and now it released in public.
ZDI initially reported this zero-day flow to Microsoft on May 8, 2018, since then Microsoft acknowledged the vulnerability and started working on it to provide the patch for Windows.
This Zero-day flow discovered and reported by Lucas Leong of Trend Micro Security Research and the vulnerability allows an attacker to run an arbitrary code in Microsoft’s Jet database engine.
— Zero Day Initiative (@thezdi) September 20, 2018
This specific vulnerability existing in the management of indexes in the Jet database engine that allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
In order to trigger this Microsoft Zero-day vulnerability, the attacker needs to send a specially crafted file containing data stored in the JET database format and the user needs to open the file to trigger this vulnerability in victims machine.
According to ZDI, “The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB. Here’s a look at the resulting crash”
Mainly user interaction does require to successfully exploit this vulnerability in victims machine by tricking them to open the malicious file.
ZDI research confirms that this Microsoft Zero-day existing in the Windows 7 and they believe all supported Windows version are impacted by this bug. You can also find the Proof-of-concept code here.
As of now this vulnerability is not yet patched and Microsoft continuously working on it to patch this critical Zero-day vulnerability and we expect the patch in the regularly scheduled October Tuesday patch release since it’s not released in September patch.