Share Tweet Share





The so-called “zero day” vulnerability – an unknown or unanticipated software flaw that can be exploited by hackers – was first flagged privately to the company in May, accompanied with a firm 120-day deadline to fix it.

Public Red Flag After Failure to Fix Bug

The exploitable code was discovered by researcher Lucas Leong of the Trend Micro Security Research team via the Zero Day Initiative (ZDI), a project that encourages and financially rewards the reporting of security loopholes in software to affected vendors, and was reported to Microsoft on May 8.

The US group managed to replicate the bug on May 18, but failed to close the loophole by the four-month deadline. On September 9 it reported an issue with the fix, saying it might miss its monthly software patch update on September 11, leaving observers to conclude that the loophole will now be left open until next month’s patch.

Cybersecurity Careers Raw HTML Module The problem resides in the Microsoft JET Database Engine, potentially allowing an attacker to remotely execute malicious code on any vulnerable Windows computer, with all supported Windows versions affected, including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016. JET, or Joint Engine Technology, is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic.

Open Access for Attackers

ZDI noted on its website: “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

“Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.”

Allan Liska, security solutions architect at Recorded Future, explained the vulnerability to SiliconRepublic.com: “The 64-bit versions of Microsoft Windows 10 and Windows Server 2016 both suffer from a local privilege escalation vulnerability that will allow an attacker who already has access to the system to execute any code as an administrator – in effect, giving the attacker full access to the compromised system.”

In a statement to VitalBriefing on September 25, Jeff Jones, Senior Director at Microsoft, said: “Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible.

“To help ensure we are delivering high-quality security updates for our customers, we extensively test each bulletin prior to release,” he added. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”

User-Privilege Could Thwart Protection Monitoring

The flaw was made public via Twitter in late August and was linked to a posting on GitHub appearing to show proof-of-concept for the vulnerability. It was then verified by Will Dormann, a vulnerability analyst at the Computer Emergency Response Team Coordination Center (CERT/CC), a wing of the US Defense Department.

Given the nature of the vulnerability, ZDI advised that until the problem was patched, the only salient mitigation strategy was to restrict interaction with the application to trusted files.

Liska warned, however, that more caution was needed. “If an attacker gains access with user-level privilege (for example, through a browser remote code execution exploit), this mitigation will not work.

“The best bet until Microsoft releases a patch is to monitor for suspicious activity from Task Scheduler (look for the connhost.exe process) and for this specific PoC monitor for spoolsv.exe (the Print Spooler service) spawning unusual processes, though bear in mind that while the PoC uses the Print Spooler service, this vulnerability is not limited to just the Print Spooler.”