Featured Articles

Intel refreshes CPU roadmap

Intel refreshes CPU roadmap

Intel has revealed an update to its CPU roadmap and some things have changed in 2015 and beyond. Let’s start with the…

More...
Hands on: Nvidia Shield Tablet with Android 5.0

Hands on: Nvidia Shield Tablet with Android 5.0

We broke the news of Nvidia's ambitious gaming tablet plans back in May and now the Shield tablet got a bit…

More...
Nokia N1 Android tablet ships in Q1 2015

Nokia N1 Android tablet ships in Q1 2015

Nokia has announced its first Android tablet and when we say Nokia, we don’t mean Microsoft. The Nokia N1 was designed…

More...
Marvell launches octa-core 64-bit PXA1936

Marvell launches octa-core 64-bit PXA1936

Marvell is better known for its storage controllers, but the company doesn’t want to give up on the smartphone and…

More...
Nvidia GTX 970 SLI tested

Nvidia GTX 970 SLI tested

Nvidia recently released two new graphics cards based on its latest Maxwell GPU architecture, with exceptional performance-per-watt. The Geforce GTX 970…

More...
Frontpage Slideshow | Copyright © 2006-2010 orks, a business unit of Nuevvo Webware Ltd.
Wednesday, 26 March 2008 06:25

Microsoft failed to patch bugs it knew about

Written by David Stellmack

Image

Known since 2005


A security team from Microsoft Corporation has acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005, yet failed to patch the issues. They claim the reason for this is because they thought they had blocked the obvious attack vectors.

Mike Reavey, MSRC’s Operations Manager, admitted that researchers and others outside Microsoft had notified the company in both 2005 and 2007 of separate bugs in Jet (a Windows component providing data access to Visual Basic and Microsoft Access applications).

Microsoft apparently informed the researchers that it would not fix the flaw because it considered the users who would be affected by it to be ‘safe;’ Microsoft Outlook blocked the opening of the .mdb file format,  Exchange servers stripped .mdb files from incoming messages and Internet Explorer issued warnings when users clicked on such files.

And while this might have been true then, today there are new attack strategies being used by hackers. Symantec claims that attackers are doing an ‘end run’ around Outlook. Hackers use an attack vector that allows an attacker to load an .mdb file by opening a Word document.

According to Symantec, Microsoft should have fixed these flaws years ago. Microsoft appears to finally be listening; they have issued a security advisory warning users of Word for Windows 200, XP and Server 2003 SP1 to take defensive steps.

The MSRC is still trying to decide how it wants to patch the vulnerability. Reavey did not provide any details on the patch release, and last week information from MSRC indicated that the fix might be delivered as an “out of band” release (prior to the next scheduled general security scheduled update on April 8th).

In the meantime, until Microsoft releases the patch, Reavey urged users to either disable the Jet Database Engine or to block .mdb files at the gateway.

Last modified on Wednesday, 26 March 2008 09:12

David Stellmack

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
blog comments powered by Disqus

 

Facebook activity

Latest Commented Articles

Recent Comments