Tag Archives: Microsoft JET Database

October 2018 Update Summary

Earlier today Microsoft resolved 49 vulnerabilities more formally known as CVEs (defined).

At the time of writing; there are known issues with the Windows 7 NIC being an issue again this month:

4459266 : Can be resolved by installed the Microsoft Exchange update with administrative (defined) privileges.

4462917 : No workaround at this time.

4462923 : Workaround available.

As always; further details are available in Microsoft’s update summary for October. Moreover, Adobe issued 4 updates today patching the following products:
Adobe Digital Editions (priority 3, resolves 4x critical and 5x important CVEs)

Adobe Experience Manager (priority 2. 3x important and 2x moderate CVEs)

Adobe Framemaker (priority 3, resolves 1x important CVE)

Adobe Technical Communications Suite (priority 3, resolves 1x important CVE)

Earlier this month Adobe released updates for Acrobat DC and Reader DC resolving 86 CVEs (47x critical and 39x important). These were in addition to the updates made available in September (which resolved 1x critical and 6 important CVEs).

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Acrobat DC and Reader DC. No updates for Flash Player have been distributed so far this month.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

2x vulnerabilities  affecting Microsoft Hyper-V (affects Windows 10, Windows 8.1 (including Windows RT 8.1) and Windows 7 along with their Server equivalents)(the links above provide details on both vulnerabilities)

Microsoft JET database (resolved by installing the latest cumulative update for your version of Windows: Windows 10; Windows 8.1 or Windows 7.

Microsoft Exchange Server 2016, 2013 and 2010

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox:
=======================
In early September Mozilla made available updated versions of Firefox:

Firefox 62.0.3: Resolves 2x critical CVEs (defined)

Firefox ESR 60.2.2 (Extended Support Release): Resolves 2x critical CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
VMware
=======================
VMWare has issued 2 security advisories so far for October:

Security advisory 1 (addresses 1 critical vulnerability) in the following products:

  • AirWatch Console 9.1 to 9.7

Security advisory 2 (addresses 1 important vulnerability via a mitigation) in the following products:

  • ESXI
  • Fusion
  • Workstation Pro

If you use the above VMware products, please review the security advisories and apply the necessary updates/mitigations.

Protecting Against the Microsoft JET Database Zero Day Vulnerability

====================
Update: 9th January 2019:
====================
Microsoft have now resolved the unpatched JET vulnerability. It has been designated as CVE-2019-0579. It appears it took extra time since binary differential analysis shows that larger sections of the file msrd3x40.dll have been re-designed to proactively mitigate future vulnerabilities.

Further details are located here. Thank you.

====================
Update: 3rd January 2019:
====================
As of the 19th of December; the firm 0patch have confirmed the incomplete patch for this vulnerability has not yet been revised by Microsoft.

====================
Update: 24th October 2018:
====================
According to Acros Security CEO Mitja Kolsek the fix for this vulnerability from Microsoft is incomplete and mitigates but does not resolve the vulnerability.

As before; my assessment of the difficulty an attacker would face in exploiting this vulnerability remains accurate. The attack first needs you to take an action you wouldn’t otherwise take; if you don’t they can’t compromise your system.

Details of the incomplete nature of the vulnerability are not being disclosed while the patch is re-evaluated. Acros Security has notified Microsoft of this incomplete fix and is awaiting a response. In the meantime; their micropatch completely mitigates the vulnerability.

I’ll keep this post updated as more details become available. Thank you.

=======================
Update: 9th October 2018:
=======================
Microsoft’s scheduled updates for October 2018 resolve this vulnerability. Thank you.

=======================
Original Post:
=======================
In the latter half of last week; Trend Micro’s Zero Day Initiative publically disclosed (defined) a zero day vulnerability (defined) within the Microsoft JET Database Engine (defined).

Why should this vulnerability be considered important?
This vulnerability should be considered high but not critical severity. When exploited it can allow an attacker to execute code (to carry out any action of their choice) but they cannot initiate this automatically/remotely. They must socially engineer a potential victim into opening an attachment ( most likely sent over email or via instant messaging etc.). This attachment would need to be a specific file containing data stored in the JET database format. Another means would be visiting a webpage but 0patch co-founder Mitja Kolsec could not successfully test this means of exploit.

This vulnerability exists on Windows 7 but is believed to also exist on all versions of Windows including the Server versions.

How can I protect my organization/myself from this vulnerability?
At this time; a patch/update from Microsoft is pending and is expected to be made available in October’s Update Tuesday (9th October).

In the meantime; please continue to exercise standard vigilance in particular when using email; e.g. don’t click on suspicious links received within emails, social media, via chat applications etc. Don’t open attachments you weren’t expecting within an email (even if you know the person; since their email account or device they access their email may have been compromised) and download updates for your software and devices from trusted sources e.g. the software/device vendors. This US-CERT advisory also provides advice for safely handling emails.

If you choose to; the firm 0patch has also issued micro-patch for this vulnerability as a group of two patches. This was the same firm who micro-patched the recent Windows Task Scheduler vulnerability. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Thank you.