Microsoft Jet Database Engine Attacked Through Word
Friday March 21, 2008 at 9:03 pm CST
Posted by Craig Schmugar
A few weeks ago we blogged about a recent MS Access exploits being nothing new. Well there is now something new.
On the heels of Symantec blogging about a new tandem Word document/Access database exploit; Microsoft released Security Advisory (950627). As we stated before, Microsoft considers MDB files to be unsafe. Accordingly, Microsoft email clients prevent users from attempting to double-click on MDB (Microsoft Access Database) files. Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their “MDB files are unsafe” story. Well that’s changed.
In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word. The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).
An attack scenario looks like this:
- A user receives an email message with 2 attachments (one of which is a Word document)
- The email client saves the attachments to the same directory
- The user opens the Word document, which in turn opens the Access database containing the exploit code
In another scenario the attackers have archived both the database and Word document in a ZIP file, but the principle is the same.
Microsoft states that Msjet40.dll versions greater than 4.0.9505.0 are not vulnerable, which means this issue was (silently) fixed for Windows Server 2003 SP2 and Windows Vista.
McAfee DAT files version 5256 (released March 20) detect all known Access exploits as Exploit-MSJet.
March 22nd, 2008 at 22:03
Who still allows “.zip” attachments in? why we keep running in the same loop ? Attackers are winning because they are 100% sure, that there are users who left the antispam filter working under the default settings. Or thinking that the running AV will protect against all threats for the next 10 years. Wake up dudes !
http://extremesecurity.blogpsot.com
March 24th, 2008 at 08:19
if Vista is not affected, this does NOT mean it has been silenty fixed, but this means the code is different or more robust, and so Vista version is not affected
March 25th, 2008 at 01:54
There might be a typo: “Microsoft states that Msjet40.dll versions lower than 4.0.9505.0 are not vulnerable.”
From Microsoft Security Advisory 950627: “If the version of Msjet40.dll is lower than 4.0.9505.0, you have a vulnerable version of the Microsoft Jet Database Engine.”
You meant they *are* vulnerable?
Cheers, Vincent
March 25th, 2008 at 04:02
This sentance: “and therefore Microsoft stuck to their “MDB files are unsafe” story. Well that’s changed.” really needs to be rewritten, as is it looks as if Microsoft claims of MDB files are unsafe has changed (IE MDB files are now safe). When you are really saying is that databases are now attacked by means other then MDB files. It is really confusing when other websites quote only a part of the paragraph.
March 26th, 2008 at 10:10
Vincent: Yes, that was a horrible typo. Fixed.
Duffman: I could have stated it more clearly, but the fact is that Microsoft has treated Access related exploits (such as MS Jet) very different from say Word exploits. And their latest Security Advisory covers an MS Jet DB vulnerability (not Word). So while they have yet to change their position on MDB files in terms of considering them “safe”, they have changed their process/response for at least this case (so far).
April 7th, 2008 at 08:24
I have noticed rumbling about something called “Postcard”. Is this a present threat?……..George