The vulnerability exists in Windows 7 (ZDI has issued proof-of-concept code for the bug), but it said that it believes that “all supported Windows version are impacted by this bug, including server editions.”
Microsoft patched two other issues in JET in the September Patch Tuesday updates, both of them listed as buffer overflows. For its part, the vendor has acknowledged the zero-day (first reported to Microsoft in May by Lucas Leong of Trend Micro Security Research) and said that it is working on a patch. In the meantime, 0patch promised that a micropatch for Windows 7 is forthcoming.
Other than that, businesses using JET should work on employee awareness and caution them not to open files from untrusted sources.
Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras
Firmware used in up to 800,000 CCTV cameras open to attack thanks to buffer overflow zero-day bug.
ThreatList: Microsoft Macros Remain Top Vector for Malware Delivery
The second-most popular delivery method is CVE-2017-11882, a patched Microsoft vulnerability that allows the attacker to perform arbitrary code-execution.
Apple Yet to Patch Safari Browser Address Bar Spoofing Flaw
A flaw in Safari – that allows an attacker to spoof websites and trick victims into handing over their credentials – has yet to be patched.