A remote code execution vulnerability was recently observed in Microsoft's JET Database Engine that allowed hackers to execute arbitrary memory address write and crash Microsoft Excel in systems running all supported Windows versions from Windows 7 to Windows 10.
The vulnerability was first observed by Honggang Ren, a security researcher at FortiGuard Labs, who noted that an improper bounds checking mechanism in the JET Database Engine allowed buffer flow which, in turn, resulted in the overwriting of the destination variable.
"We can see that the root cause of this vulnerability is the malformed size value 0x100C, which is located in the PoC file at offset 0x228. The proper value should be 0x0C. Due to insufficient bounds check, the malformed size value results in the overwriting of a key neighbour global variable in the memcpy function call.
"Then, in next memcpy function call, the overwritten global variable with an arbitrary value is used in memory copy as the destination address, which results in a code execution condition. Successful exploitation of this vulnerability could lead to remote code execution," Ren wrote in a blog post.
According to FortiGuard Labs, the JET Database Engine supports several Microsoft products and the vulnerability therefore impacted several functions in Windows OS. Microsoft eventually fixed the code execution vulnerability in the database engine by issuing a patch earlier this month.
All users of systems running Microsoft Windows OS have been urged to upgrade their systems to the latest version of the operating system to remove this vulnerability.
Commenting on the discovery and patching of the vulnerability, Naaman Hart, managed services security engineer at Digital Guardian, told SC Magazine UK that buffer overflow or overrun attacks are exploited by cyber-criminals to force an in-memory item to exceed its bounds and then write malicious code into neighbouring memory sections.
"When those neighbours then execute, they include the additional malicious instructions that the criminal placed there. Unfortunately, businesses can’t predict all buffer overflow attacks as you are reliant on all applications used within a business being written in a way that prevents this problem. Microsoft will have resolved this issue by strengthening the JET Database Engine to properly check the boundaries of their buffers so as to not allow an overrun.
"A business that is damaged by this attack has failed on two vital aspects of a strong security posture. First, basic security training: Employees must understand not to open attachments from unknown senders, or businesses should put in safeguards such as not allowing macros – code within Excel – to run automatically. Second, not patching properly: Microsoft has already released a patch for this, which businesses should ensure is included in their next windows update," he added.