Exploit Code Published for Unpatched Office Flaw

Security researchers this week reported a flaw in the memory handling of the Microsoft Jet Database Engine that powers the Microsoft Office Access database. An attacker could use the flaw to remotely take control of a compromised system, according to HexView, a security firm that discovered the flaw.

A necessary precursor for attackers to use the flaw, called an exploit, has already been released.

The Microsoft Security Response Center is investigating the report. "[They] have been made aware that exploit code for this vulnerability has also been released. Microsoft has not been made aware of any attacks attempting to use the reported vulnerabilities or customer impact at this time, but are aggressively investigating the public reports," a Microsoft spokesperson said Thursday.

A patch could be released before Microsoft's next scheduled monthly patch release on May 10, the spokesperson said.

HexView rated the flaw "highly critical," which is the second-most serious rating in the firm's five-level rating system. Secunia, a security firm that tracks unpatched vulnerabilities across many operating systems and products, said the vulnerability had been confirmed on a fully patched system running Microsoft Access 2003. The firm said the flaw could affect Access 2000, Access 2002, Office 2000 and Office 2003.

HexView said it notified Microsoft about the flaw on March 30 and received only an automated reply from Microsoft.

Microsoft disputed HexView's account. "The MSRC has found no record of the finder contacting them with this report. As is a standard MSRC practice, they have outreached to the finder to try and work with them to learn more about the vulnerability and in turn be able to provide customers with the appropriate solution," the Microsoft spokesperson said. "Microsoft is concerned that this new report of a vulnerability in Microsoft Office was not disclosed responsibly, potentially putting computer users at risk."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.