Over the weekend, TTH reported that Microsoft had issued a warning centering on targeted attacks using vulnerabilities in the MJDE (Microsoft Jet Database Engine) that can be exploited via Microsoft Word. Last night, Mike Reavey of the MSRC posted an update.
Micorsoft has confirmed the attacks on Word, and released more information about the vulnerability. (IMG: J.Anderson)
The Microsoft Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Jet can also be used by Internet Information Services (IIS) applications that require database functionality. The reported vulnerability is a code execution vulnerability caused by a buffer overrun in msjet40.dll, the Microsoft Jet Database Engine.
"We have seen two malicious JET database files sent in by anti-virus companies. These files make it clear that some attackers have figured out a way to workaround the mitigations built into Outlook," Reavey said. He reveals that the new attacks use the same vulnerability that was seen in November 2007, "In fact, very little was changed about the file compared to cocoruder’s POC file which launched calc.exe. It uses the same column number overflow. Even as far back as March 2005, HexView posted a similar vulnerability in msjet40.dll column handling."
The attacks from 2005 and 2007 were mitigated by suggested blocking by Microsoft. However, these new attacks, which allow an attacker to load an MDB file by opening a Word document, changed everything. “The previous guidance does not work against this new attack. The attack sequence is not the dangerous multi-step process of requiring a customer to first change their Outlook and Exchange settings from the secure default of blocking MDB files and then opening the MDB file. Instead, it could occur by having a customer save two DOC files to the hard drive and opening one of them,” Reavey said.
This new attack vector is what prompted the alert issued over the weekend. The SSRIP, Software Security Incident Response Process, was tasked to follow the attacks and issue an out-of-cycle patch or add it to the regular patch cycle.
“We’re investigating if we can ship a security update that prevents Word documents from loading MDB files without prompting. This would block this new vector and would be a great solution if we can find a way to make it work without affecting custom applications. Also, we already have a new version of msjet40.dll that fixes the known attacks,” Reavey said. The new version of msjet40.dll is the reason that Windows Server 2003 SP2 and Vista were immune to the new attacks.
Microsoft has issued the following workarounds in the meantime. From the command prompt, issue the following:echo y| cacls "%SystemRoot%system32msjet40.dll" /E /P everyone:N
To reverse the workaround, you will issue:echo y| cacls "%SystemRoot%system32msjet40.dll" /E /R everyone
While not a fix, these will mitigate the vectors of attack.
More information online:http://www.microsoft.com/technet/security/advisory/950627.mspx
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!