LiveSecurity···.htm.zip 5,435 bytes

quote:

---

Public and Unpatched: Zero Day Microsoft Access Exploit
Severity: Medium
16 November, 2007

Summary:
Today, a Chinese researcher released an advisory warning of a serious, zero day vulnerability affecting Windows Access 2003 (and most likely, earlier versions). By enticing one of your users into opening a malicious MDB file, an attacker can exploit this flaw to execute code on that user's computer, potentially gaining complete control of the victim's machine. If you use Microsoft Office 2003 with Access, you should implement the workarounds described in the Solution Path section of this alert until Microsoft releases a patch.

Exposure:
A Chinese security researcher calling himself Cocoruder released a security advisory today, describing a new, unpatched buffer overflow vulnerability in the Microsoft Jet Engine component (msjet40.dll) that Access uses to parse MDB files. By enticing one of your users into opening a maliciously crafted MDB file, an attacker can exploit this flaw to execute code on that user's computer, with that user's privileges. If the victim has local administrative privileges, the attacker could leverage this flaw to gain total control of the victim's computer.

Cocoruder released this advisory before Microsoft released a patch fixing this issue. According to Cocoruder's advisory, he contacted Microsoft about the flaw, but he claims Microsoft said they would not fix it. He further claims that in reply to Cocoruder's vulnerability disclosure, Microsoft wrote to him, "You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit »support.microsoft.com/kb/925330."

Making matters worse, Cocoruder has released a Proof-of-Concept (PoC) file that exploits this vulnerability, and proves that the flaw works. If you open his PoC file in a vulnerable version of Access, it automatically spawns Windows calculator. The LiveSecurity team has tested this PoC on a lab machine and it worked as advertised. While this particular PoC is benign, blackhat attackers could easily modify the PoC to run just about anything on your machine, instead of merely a calculator. If you use Access, you should consider this zero day flaw a serious risk.

Solution Path:
Microsoft hasn't patched this zero day vulnerability, and Cocoruder alleges that they do not plan to. For now you have two courses of action. First, remain aware of this vulnerability and the potential hazard that unsolicited .MDB files carry. Second, block .MDB files at your gateway. Your Firebox can help you do this (see below).

For All WatchGuard Firebox Users:
You can configure most WatchGuard Firebox models to block Access Database (.MDB) files at your gateway. Since most organizations typically don't need to receive Access database files from the outside world, blocking them will not affect most users. If you think your organization might be an exception to that generalization, your best choices are either to call appropriate managers whose teams use Access and inquire whether they must receive MDB files over the Internet; or, it might be more efficient (and safe) to block the filetype using your firewall and see whether anyone complains.

If you want to block .MDB files that arrive via email and the web, follow the instructions for you Watchguard Firebox product.

Status:
Microsoft has not released a patch for this issue. We will update you if and when they do.
References:
Cocoruder's Microsoft Jet Engine Security Advisory »ruder.cdut.net/blogview.asp?logID=227
This alert was researched and written by Corey Nachreiner, CISSP.

---