Recently our friends from Pandalabs published a weblog,Â statingÂ there is a new MicrosoftÂ access exploit found in the wild. We initiated some research on this exploit and foundÂ itÂ actually targets an older well known vulnerability, CVE-2005-0944, found by the hexview team in March 2005. It’s very easy to exploit this vulnerability. We had observed similar exploits last year, and the dropper used in this case looks very similar to that one.
Microsoft considers MDB filesÂ to beÂ unsafe, so a specific patch for this vulnerability has not beenÂ released since it was made public 3 years ago.
The interesting thing about this vulnerability is that it happens in msjet40.dll, which was never updated on a Windows XP SP2 since the release of MS04-014 (for other platforms, please check out http://support.microsoft.com/kb/239114).
In this specific case, the dropper uses a jump address in mswstr10.dll, which is part of MS JET 4.0 engine package. So for XP SP2 users the trojan gets executed in almost all cases no matter whichever version of Office XP and 2003 you are using. We tested Office 2007, 2003 and XP and found that only Office 2007 was immune to this vulnerability.
McAfee AV detects this recent exploit via DAT 5236 which was released February 22 and our IntruShield NIPS sensors can detect and block this by our generic protection signatures for MS Access “HTTP: Microsoft Jet DB Engine Buffer Overflow” released on November 13, 2007.
Since Microsoft doesn’t patch Access-related vulnerabilities, we highly recommend Office users never open untrusted MDB files.