Microsoft Zero-Day Patch for JET Bug Incomplete, Claims Firm

Microsoft patched a zero-day in its JET Database Engine this week – but the patch was incomplete, according to researchers at 0patch. The company has developed a micropatch that corrects that hole, it said Friday.

The memory corruption vulnerability (CVE-2018-8423) could allow remote code-execution. It was found by Trend Micro’s Zero Day Initiative (ZDI), which subsequently released the flaw as a zero-day 135 days after reporting it to Microsoft. Eighteen days later, Microsoft issued a fix as part of its Patch Tuesday updates this week.

The flaw is an out-of-bounds (OOB) write in the JET Database Engine, which underlies the Microsoft Access and Visual Basic software. It’s a less well-known alternative to Microsoft’s flagship SQL Server.

“The root cause boils down to how the JET Database Engine handles malformed data in a database file,” Dustin Childs, communications manager for ZDI, told Threatpost. “Improper handling of the malformed data could lead to code execution.”

According to ZDI, the specific flaw exists within the management of indexes in JET. It can be triggered by opening a booby-trapped JET database file via OLEDB, which is an API designed by Microsoft that enables data to be accessed from an array of disparate sources in a uniform manner.  That consequently would cause a “write past the end of an allocated buffer,” i.e., a crash, which in turn would allow an adversary to execute code with the same privileges as the target machine’s legitimate user.

Because the vulnerability was published as a zero-day before the official patch was available, 0patch issued a micropatch just a day after it dropped. It has now issued another micropatch to correct the official patch.

The problem lies in one of Window’s core dynamic link libraries, “msrd3x40.dll.”

“As expected, the update brought a modified msrd3x40.dll binary: this is the binary with the vulnerability, which we had micropatched with four CPU instructions (one of which was just for reporting purposes),” said Mitja Kolsek, a researcher with the 0patch team, in a notice about the fresh fix. “The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course its cryptographic hash also changed – which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll.”

However, when the company reviewed the differences between the official patch and the micropatch, it found slight differences, “unfortunately in a way that only limited the vulnerability instead of eliminating it,” Kolsek said.

0patch has notified Microsoft about the problem and said that it will await an official update before publishing proof-of-concept details. Microsoft did not immediately respond to Threatpost’s inquiry about the issue.

Kolsek said the new micropatch fixes fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012, as well as other Windows versions that share the same version of msrd3x40.dll.