Microsoft Database Bug Goes Unpatched
A fix for the new Jet bug, however, was missing from Tuesday's patch parade.
Secunia, which labeled the vulnerability as "highly critical," said that a parsing problem in the engine -- which provides access to applications such as Access, Microsoft Visual Basic, and other, third-party apps -- could be used by attackers to gain complete control of a targeted PC.
"This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access," Secunia said in its alert.
Exploit code is out and about, added Secunia, which noted that the code has been posted to a public mailing list. The vulnerability exists in the most recent version of Access 2003 -- included in some versions of Office 2003 -- and even impacts users running Windows XP SP2, said Secunia.
"Microsoft is currently investigating these new public reports of a possible vulnerability in Microsoft Office and we have been made aware that exploit code for this vulnerability has been released," said a company spokesperson. Microsoft went on to say that it's not aware of any active attacks using the exploit code, but it "will continue to aggressively investigate the reports."
The company wouldn't commit to a timeline for producing a patch, and as is its custom, stated that it would "take the appropriate action, which may including providing a fix through our monthly release process or an out-of-cycle security update."
According to Secunia, the original disclosure of the vulnerability came from a group called HexView, which said that it had notified Microsoft of the bug on March 30. HexView's policy, which is to give vendors as little as 24 hours notice before going public with a flaw, is certainly at odds with Microsoft, which in the past has slammed security researchers for announcing vulnerabilities before a patch is available.
Microsoft didn't shy away from blasting HexView, again with a now-standard response from a spokesperson, who said "Microsoft is concerned that this new report of a vulnerability in Microsoft Office was not disclosed responsibly, potentially putting computer users at risk."
Microsoft released eight security bulletins Tuesday that included 18 vulnerabilities, 7 of which were marked as "critical," but none addressed the bug in Jet.
This isn't the first time the Jet Database Engine has been singled out by attackers. Last year, Microsoft patched Jet against a different bug in its MS04-014 bulletin.