Exploit Code Published for Unpatched Office Flaw

Security researchers this week reported a flaw in the memory handling of the Microsoft Jet Database Engine that powers the Microsoft Office Access database. An attacker could use the flaw to remotely take control of a compromised system, according to HexView, a security firm that discovered the flaw.

A necessary precursor for attackers to use the flaw, called an exploit, has already been released.

The Microsoft Security Response Center is investigating the report. "[They] have been made aware that exploit code for this vulnerability has also been released. Microsoft has not been made aware of any attacks attempting to use the reported vulnerabilities or customer impact at this time, but are aggressively investigating the public reports," a Microsoft spokesperson said Thursday.

A patch could be released before Microsoft's next scheduled monthly patch release on May 10, the spokesperson said.

HexView rated the flaw "highly critical," which is the second-most serious rating in the firm's five-level rating system. Secunia, a security firm that tracks unpatched vulnerabilities across many operating systems and products, said the vulnerability had been confirmed on a fully patched system running Microsoft Access 2003. The firm said the flaw could affect Access 2000, Access 2002, Office 2000 and Office 2003.

HexView said it notified Microsoft about the flaw on March 30 and received only an automated reply from Microsoft.

Microsoft disputed HexView's account. "The MSRC has found no record of the finder contacting them with this report. As is a standard MSRC practice, they have outreached to the finder to try and work with them to learn more about the vulnerability and in turn be able to provide customers with the appropriate solution," the Microsoft spokesperson said. "Microsoft is concerned that this new report of a vulnerability in Microsoft Office was not disclosed responsibly, potentially putting computer users at risk."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.