IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Microsoft Admits Ignoring Jet Flaw
Search:
[ insider_reports_insider ]

Microsoft Admits Ignoring Jet Flaw



David Utter
Staff Writer
2008-03-25

SecurityProNews: Insider Reports Insider Reports RSS Feed


Security engineers at Microsoft ignored addressing this latest exploit for years, as they believed existing protections mitigated the threat.

Microsoft Admits Ignoring Jet Flaw
Microsoft Admits Ignoring Jet Flaw

Microsoft admitted to knowing about the vulnerability present in the Jet Database Engine since March 2005. The flaw received attention recently as new exploits targeting it began circulating the Internet last week.

In an update at the Microsoft Security Resource Center blog, Mike Reavey owned up to Microsoft's inaction about the problem over the past three years:

These new attacks, discussed in Friday's security advisory, use the exact same vulnerability as was posted in a November 2007 full-disclosure posting by cocoruder. In fact, very little was changed about the file compared to cocoruder's POC file which launched calc.exe. It uses the same column number overflow.

Even as far back as March 2005, HexView posted a similar vulnerability in msjet40.dll column handling. You'll notice that both the HexView and the cocoruder posting mention that they first submitted their samples to the MSRC, but the MSRC replied back that they would not address the issues via a security bulletin because any attempt to attack customers using these issues was heavily mitigated by the blocking mentioned earlier in this post.

Reavey noted how Outlook, Exchange, and Internet Explorer regularly block or warn about .mdb files coming into a PC. However, the latest attacks deliver the malicious .mdb payload via opening a Word document.

Windows Server 2003 and Windows Vista are not vulnerable as they contain a newer version of the vulnerable msjet40.dll that lacks the flaw being exploited. The best protection now, pending a broader release of the updated msjet40.dll, will be to avoid opening unexpected attachments in email.

View All Articles by David Utter




About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds