Windows JET Database Engine continues to be vulnerable to remote code execution bug after Microsoft released a patch in the October security updates rollout.
The vulnerability, now identified as CVE-2018-8423, was disclosed publicly by TrendMicro's Zero Day Initiative program on September 20, before Microsoft could manage to include a fix.
Until Microsoft's update, users could benefit from the protection of a micropatch - a temporary correction applied while the software is running - that became available from Acros Security 24 hours after the bug disclosure. When available, these interim fixes are delivered for free through the 0Patch platform.
According to Acros Security CEO Mitja Kolsek, Microsoft's solution is not complete, and it only limits the vulnerability instead of eliminating it.
He claims the discovery of the problem after comparing Microsoft's method to deal with it and the initial micropatch his company provided. Kolsek says that Microsoft has been notified about the bad repair and he will keep the details about the issue under wraps until the release of a proper correction.
"We have, however, issued a micropatch that corrects Microsoft's patch. Namely, in an ironical twist of fate, Microsoft's October update actually re-opened the CVE-2018-8423 vulnerability for 0patch users who were previously protected by our micropatch," Kolsek writes in a blog post today.
He explains that the new in-memory fix applies to the latest revision of the 'msrd3x40.dll' binary, which is the vulnerable component in Windows JET Engine that Microsoft updated from version 4.0.9801.0 to 4.0.9801.5 in its attempt to remove the security bug.
CVE-2018-8423 affects 32-bit versions of Windows 7 through 10 and Server versions 2012, 2016 and 2019, Core included. It allows a remote attacker to run arbitrary code and potentially take control of the affected system, allowing them to install programs, view, change, or delete data; they could also create new accounts with full user rights.
Evaluated with a high severity score, an attacker can exploit the vulnerability it if they convince a target to open a specially crafted Microsoft JET Database Engine file delivered via email. This scenario is a typical for phishing, targeted or not.
At the moment there are no details about the vulnerability being exploited in the wild. Microsoft estimates that an attacker would have difficulties in creating exploit code, although it does not exclude this possibility with a sufficiently motivated and skilled attacker.