21 September 18, 20:46
(This post was last modified: 21 September 18, 20:49 by silversurfer.)
Quote:According to the Zero Day Initiative (ZDI), the flaw is an out-of-bounds (OOB) write in the Microsoft JET Database Engine, which underlies the Microsoft Access and Visual Basic software; it’s a less well-known alternative to Microsoft’s flagship SQL Server.
According to ZDI, the specific flaw exists within the management of indexes in JET. It can be triggered by opening a booby-trapped JET database file via OLEDB, which is an API designed by Microsoft that enables data to be accessed from an array of disparate sources in a uniform manner. That consequently would cause a “write past the end of an allocated buffer,” i.e., a crash, which in turn would allow an adversary to execute code with the same privileges as the target machine’s legitimate user.
The good news is that exploiting the flaw would take some social engineering; the target would need to be coaxed to open a specially crafted file containing malicious data stored in the JET database format (and ZDI pointed out in its advisory on Thursday that various applications use that format). Adversaries could also trigger an exploit with a weaponized web page, according to ZDI
Source: https://threatpost.com/unpatched-microso...on/137597/