Microsoft Patches Zero Day Flaw in Windows

Published: May 14, 2008

by Alex Woodie

Microsoft yesterday issued four security patches for its products, including one patch that fixes a critical zero day vulnerability in a Windows component that is currently being exploited on the Web. All told, Microsoft patched six flaws yesterday, including four critical flaws that attackers could use to take complete control of affected systems.

If you could only install one of yesterday's patches, you would do best by installing Security Bulletin MS08-028, which fixes the zero-day flaw in Microsoft's Jet 4.0 database engine. The flaw affects only older operating systems, including Windows 2000 SP4, Windows XP SP2, Windows XP Pro X64, Windows Server 2003 SP1, Windows Server 2003 X64, and Windows Server 2003 SP1 for Itanium. More recent service packs of Windows XP and Windows Server 2003 are not affected, and neither are Vista or Server 2008.

The Jet, or Joint Engine Technology, database is a compact database engine included in the Microsoft Data Access Components (MDAC) libraries in both client and server versions of the Windows operating systems, and the core database engine for Microsoft Access. It was often used to provide structure and integrity for Visual Basic apps, Access databases, or even Word docs and e-mails. While the Jet database engine has since been replaced with entry-level versions of SQL Server in recent versions of Windows, it's still heavily used behind the scenes in older versions of Windows.

A buffer overrun in the Jet database is being exploited by attackers who trick users into opening a malformed Word file with a Jet (.mdb) file embedded into it. This is a new attack vector, Microsoft says in its security bulletin, as Jet database files with the .mdb extension were already considered unsafe files, since the original Jet flaw was corrected way back in 2004.

Microsoft credits several groups, including CERT, the SANS Institute, and Aaron Portnoy of TippingPoint Technologies with reporting the flaw. However, these credits apparently don't include the flaw's original discoverer, according to Tyler Reguly, a security researcher for the security technology firm nCircle. Reguly took Microsoft to task for its slow reaction to patching the Jet flaw, which was first brought to users' attention in a March security advisory.

"Microsoft’s initial response to this vulnerability was that they wouldn't patch. So, the original researcher released the vulnerability," Reguly says. "Now they have released a fix but refused to acknowledge the original researcher. This response flies in the face of their constant messaging about responsible disclosure."

Other critical patches issued yesterday include \r\nSecurity Bulletin MS08-026. This patch fixes two remote execution flaws in Word, including the Object Parsing vulnerability, which could enable a malformed .rtf file to compromise the system via a memory calculation error, and the Word Cascading Style Sheets vulnerability, which could allow computers to be compromised over the Web. The flaws affect Word versions 2000, 2002, 2003, 2007, and Outlook 2007. Microsoft says neither flaw had been publicly disclosed before yesterday, and credits iDefense Labs, team509, and the Zero Day Initiative with reporting the flaws.

Security Bulletin MS08-027 addresses a critical vulnerability in Microsoft Publisher that could enable an attacker to take total control of a computer running any version of Office from Office XP to Office 2007. The Publisher Object Handling vulnerability can be exploited over the Web and e-mail, but has not been exploited in the wild before Tuesday, Microsoft says. Fortinet Security Research gets credit for spotting the flaw.

The final patch issued yesterday, Security Bulletin MS08-029, fixes two moderate denial of service vulnerabilities discovered in Microsoft's Malware Protection Engine. Neither of the flaws has been exploited, says Microsoft, which credits Nevis Labs with reporting the errors.

nCircle's Reguly was surprised that Microsoft decided to patch the DoS vulnerabilities in the Malware Protection Engine, saying more severe DoS problems in other products have gone unfixed in the past. "The only reason this one is being fixed is because it affects a security product," he says.