Trend Micro’s Zero Day Initiative (ZDI) team disclosed a still-unpatched remote code execution vulnerability in Microsoft’s JET Database Engine yesterday, claiming the software giant failed to fix the flaw within its 120-day disclosure window.
Discovered by Trend Micro researcher Lucas Leong, the zero-day bug is an out-of-bounds write issue pertaining to the management of indexes within the engine. "Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process," ZDI explains in a blog post and accompanying security advisory."
ZDI claims it privately reported the issue to Microsoft last 8 May, but four months later on 9 September, Microsoft replied that the fix might not be ready in time for Patch Tuesday. Indeed, two days later on 11 September, Microsoft released an update for JET that included two patches for buffer overflows, but nothing for the out-of-bounds write bug.
Until the bug is adequately remedied, ZDI recommends that JET users only open trusted files.
The researchers believe all supported versions of Windows, including server editions, are affected, although the problem was confirmed only in Windows 7.
SC Media has reached out to Microsoft for comment.