Update: 9th January 2019:
Microsoft have now resolved the unpatched JET vulnerability. It has been designated as CVE-2019-0579. It appears it took extra time since binary differential analysis shows that larger sections of the file msrd3x40.dll have been re-designed to proactively mitigate future vulnerabilities.
Further details are located here. Thank you.
Update: 3rd January 2019:
As of the 19th of December; the firm 0patch have confirmed the incomplete patch for this vulnerability has not yet been revised by Microsoft.
Update: 24th October 2018:
According to Acros Security CEO Mitja Kolsek the fix for this vulnerability from Microsoft is incomplete and mitigates but does not resolve the vulnerability.
As before; my assessment of the difficulty an attacker would face in exploiting this vulnerability remains accurate. The attack first needs you to take an action you wouldn’t otherwise take; if you don’t they can’t compromise your system.
Details of the incomplete nature of the vulnerability are not being disclosed while the patch is re-evaluated. Acros Security has notified Microsoft of this incomplete fix and is awaiting a response. In the meantime; their micropatch completely mitigates the vulnerability.
I’ll keep this post updated as more details become available. Thank you.
Update: 9th October 2018:
Microsoft’s scheduled updates for October 2018 resolve this vulnerability. Thank you.
In the latter half of last week; Trend Micro’s Zero Day Initiative publically disclosed (defined) a zero day vulnerability (defined) within the Microsoft JET Database Engine (defined).
Why should this vulnerability be considered important?
This vulnerability should be considered high but not critical severity. When exploited it can allow an attacker to execute code (to carry out any action of their choice) but they cannot initiate this automatically/remotely. They must socially engineer a potential victim into opening an attachment ( most likely sent over email or via instant messaging etc.). This attachment would need to be a specific file containing data stored in the JET database format. Another means would be visiting a webpage but 0patch co-founder Mitja Kolsec could not successfully test this means of exploit.
This vulnerability exists on Windows 7 but is believed to also exist on all versions of Windows including the Server versions.
How can I protect my organization/myself from this vulnerability?
At this time; a patch/update from Microsoft is pending and is expected to be made available in October’s Update Tuesday (9th October).
In the meantime; please continue to exercise standard vigilance in particular when using email; e.g. don’t click on suspicious links received within emails, social media, via chat applications etc. Don’t open attachments you weren’t expecting within an email (even if you know the person; since their email account or device they access their email may have been compromised) and download updates for your software and devices from trusted sources e.g. the software/device vendors. This US-CERT advisory also provides advice for safely handling emails.
If you choose to; the firm 0patch has also issued micro-patch for this vulnerability as a group of two patches. This was the same firm who micro-patched the recent Windows Task Scheduler vulnerability. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.