The MSRC on Friday afternoon posted an advisory about limited, targeted attacks using JET database files, commonly referenced as file type MDB. Many of you probably remember that MDB files are on the unsafe file type list (http://support.microsoft.com/kb/925330), and are blocked from being opened by Outlook, are commonly removed from incoming email by Exchange, and trigger scary prompts similar to EXEs when clicked on with IE. So why the hubbub?
First – let me describe the attacks we’ve seen:
We have seen two malicious JET database files sent in by anti-virus companies. These files make it clear that some attackers have figured out a way to workaround the mitigations built into Outlook.
These new attacks, discussed in Friday’s security advisory, use the exact same vulnerability as was posted in a November 2007 full-disclosure posting by cocoruder. In fact, very little was changed about the file compared to cocoruder’s POC file which launched calc.exe. It uses the same column number overflow. Even as far back as March 2005, HexView posted a similar vulnerability in msjet40.dll column handling. You’ll notice that both the HexView and the cocoruder posting mention that they first submitted their samples to the MSRC, but the MSRC replied back that they would not address the issues via a security bulletin because any attempt to attack customers using these issues was heavily mitigated by the blocking mentioned earlier in this post.
Microsoft, Security Updates, MSRC
TrackBack URI Leave a comment »