Exploit Code Published for Unpatched Office Flaw
- By Scott Bekker
Security researchers this week reported a flaw in the memory handling of the Microsoft Jet Database Engine that powers the Microsoft Office Access database. An attacker could use the flaw to remotely take control of a compromised system, according to HexView, a security firm that discovered the flaw.
A necessary precursor for attackers to use the flaw, called an exploit, has already been released.
The Microsoft Security Response Center is investigating the report. "[They] have been made aware that exploit code for this vulnerability has also been released. Microsoft has not been made aware of any attacks attempting to use the reported vulnerabilities or customer impact at this time, but are aggressively investigating the public reports," a Microsoft spokesperson said Thursday.
A patch could be released before Microsoft's next scheduled monthly patch release on May 10, the spokesperson said.
HexView rated the flaw "highly critical," which is the second-most serious rating in the firm's five-level rating system. Secunia, a security firm that tracks unpatched vulnerabilities across many operating systems and products, said the vulnerability had been confirmed on a fully patched system running Microsoft Access 2003. The firm said the flaw could affect Access 2000, Access 2002, Office 2000 and Office 2003.
HexView said it notified Microsoft about the flaw on March 30 and received only an automated reply from Microsoft.
Microsoft disputed HexView's account. "The MSRC has found no record of the finder contacting them with this report. As is a standard MSRC practice, they have outreached to the finder to try and work with them to learn more about the vulnerability and in turn be able to provide customers with the appropriate solution," the Microsoft spokesperson said. "Microsoft is concerned that this new report of a vulnerability in Microsoft Office was not disclosed responsibly, potentially putting computer users at risk."
Scott Bekker is editor in chief of Redmond Channel Partner magazine.