On the 20th of September, Trend Micro’s Zero Day Initiative (ZDI) went public with the information of a remove code execution vulnerability that would allow attackers to use the flawed Jet Database Engine to run macros through Microsoft Office programs and cause malicious activities in the targets computer. We covered this previously, you can read it here.
Regarding this issue, ZDI released a micro-patch on the 21st September which fixed the vulnerability and urged Microsoft to correct this in the following patch. ZDI then did a review of the October 2018 update by Microsoft and found out that the security flaw while addressed has only limited the vulnerability rather than eliminating it.
With the new patch attackers will surely have a harder time trying to exploit the vulnerability but this can still be exploited by specially crafted Jet Database files designed to generate an OOB (out of bounds) write error which will initiate the remote execution of the code.
With new problems come new solutions as ACROS security with their 0patch division have rolled out an 18 bytes micropatch that eliminates the vulnerability rather than limiting it by correcting the vulnerable ‘msrd3x4.dll’ binary.
“At this point, we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it. We promptly notified Microsoft about it and will not reveal further details or proof-of-concept until they issue a correct fix.“, said Mitja Kolsek, CEO of ACROS Security.
Users can visit the 0patch.com website and can apply the micropatch by creating an account and downloading the agent by 0patch and registering themselves onto the agent. You can read the complete blog post and a detailed explanation on how to get the micropatch in 0patch’s blogpost here.