About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Microsoft Jet Database Engine Attacked Through Word

Friday, March 21, 2008 at 9:03pm by Craig Schmugar
Craig Schmugar

A few weeks ago we blogged about a recent MS Access exploits being nothing new.  Well there is now something new.

On the heels of Symantec blogging about a new tandem Word document/Access database exploit; Microsoft released Security Advisory (950627).  As we stated before, Microsoft considers MDB files to be unsafe.  Accordingly, Microsoft email clients prevent users from attempting to double-click on MDB (Microsoft Access Database) files.  Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their “MDB files are unsafe” story.  Well that’s changed.

In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word.  The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).

An attack scenario looks like this:

  1. A user receives an email message with 2 attachments (one of which is a Word document)
  2. The email client saves the attachments to the same directory
  3. The user opens the Word document, which in turn opens the Access database containing the exploit code

In another scenario the attackers have archived both the database and Word document in a ZIP file, but the principle is the same.

Microsoft states that Msjet40.dll versions greater than 4.0.9505.0 are not vulnerable, which means this issue was (silently) fixed for Windows Server 2003 SP2 and Windows Vista.

McAfee DAT files version 5256 (released March 20) detect all known Access exploits as Exploit-MSJet.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (6)

  • Petievich April 7, 2008 8:24AM

    I have noticed rumbling about something called “Postcard”. Is this a present threat?……..George

    Reply
  • Craig Schmugar March 26, 2008 10:10AM

    Vincent: Yes, that was a horrible typo. Fixed.

    Duffman: I could have stated it more clearly, but the fact is that Microsoft has treated Access related exploits (such as MS Jet) very different from say Word exploits. And their latest Security Advisory covers an MS Jet DB vulnerability (not Word). So while they have yet to change their position on MDB files in terms of considering them “safe”, they have changed their process/response for at least this case (so far).

    Reply
  • Duffman March 25, 2008 4:02AM

    This sentance: “and therefore Microsoft stuck to their “MDB files are unsafe” story. Well that’s changed.” really needs to be rewritten, as is it looks as if Microsoft claims of MDB files are unsafe has changed (IE MDB files are now safe). When you are really saying is that databases are now attacked by means other then MDB files. It is really confusing when other websites quote only a part of the paragraph.

    Reply
  • Vincent Leong March 25, 2008 1:54AM

    There might be a typo: “Microsoft states that Msjet40.dll versions lower than 4.0.9505.0 are not vulnerable.”

    From Microsoft Security Advisory 950627: “If the version of Msjet40.dll is lower than 4.0.9505.0, you have a vulnerable version of the Microsoft Jet Database Engine.”

    You meant they *are* vulnerable?

    Cheers, Vincent

    Reply
  • luc March 24, 2008 8:19AM

    if Vista is not affected, this does NOT mean it has been silenty fixed, but this means the code is different or more robust, and so Vista version is not affected

    Reply
  • Aa'ed Alqarta March 22, 2008 10:03PM

    Who still allows “.zip” attachments in? why we keep running in the same loop ? Attackers are winning because they are 100% sure, that there are users who left the antispam filter working under the default settings. Or thinking that the running AV will protect against all threats for the next 10 years. Wake up dudes !

    http://extremesecurity.blogpsot.com

    Reply