Zero Day Initiative or ZDI, a division of the Japanese multinational cyber security and defense company recently found a serious security flaw in Microsoft’s JET Database Engine which is inculcated and used in various different Microsoft products.
ZDI reported that this vulnerability will allow potential attackers to execute an arbitrary code in Microsoft’s JET Database Engine, which is an underlying component of a database, a collection of information stored on a computer in a systematic way, this acts as the groundwork for many of Microsoft’s product, including the most widely used Microsoft Office. ZDI stated this to be an “out-of-bounds (OOB)” write in the JET, “An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file,” ZDI further added in their report.
— Zero Day Initiative (@thezdi) September 20, 2018
The ZDI team was aware of this vulnerability in the month of May and reported it to Microsoft giving them a 120-day period before they went public with that information. Since then Microsoft has been working on a patch to fix this vulnerability and we hope to see this fixed in the October release of the patch update.
ZDI has confirmed that this flaw exists in the Windows 7 version and it is highly likely that the following versions are impacted by this bug too. Their advice for people against this flaw follows, “In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources.” You can refer to their official blog post here.