Featured Articles

AMD sheds light on stacked DRAM APUs

AMD sheds light on stacked DRAM APUs

AMD is fast tracking stacked DRAM deployment and a new presentation leaked by the company  points to APUs with stacked DRAM,…

More...
Nvidia officially launches the 8-inch Shield Tablet

Nvidia officially launches the 8-inch Shield Tablet

As expected and reported earlier, Nvidia has now officially announced its newest Shield device, the new 8-inch Shield Tablet. While the…

More...
Intel launches new mobile Haswell and Bay Trail parts

Intel launches new mobile Haswell and Bay Trail parts

Intel has introduced seven new Haswell mobile parts and four Bay Trail SoC chips, but most of them are merely clock…

More...
Aerocool Dead Silence reviewed

Aerocool Dead Silence reviewed

Aerocool is well known for its gamer cases with aggressive styling. However, the Dead Silence chassis offers consumers a new choice,…

More...
AMD A8-7600 Kaveri APU reviewed

AMD A8-7600 Kaveri APU reviewed

Today we'll take a closer look at AMD's A8-7600 APU Kaveri APU, more specifically we'll examine the GPU performance you can…

More...
Frontpage Slideshow | Copyright © 2006-2010 orks, a business unit of Nuevvo Webware Ltd.
Wednesday, 26 March 2008 06:25

Microsoft failed to patch bugs it knew about

Written by David Stellmack

Image

Known since 2005


A security team from Microsoft Corporation has acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005, yet failed to patch the issues. They claim the reason for this is because they thought they had blocked the obvious attack vectors.

Mike Reavey, MSRC’s Operations Manager, admitted that researchers and others outside Microsoft had notified the company in both 2005 and 2007 of separate bugs in Jet (a Windows component providing data access to Visual Basic and Microsoft Access applications).

Microsoft apparently informed the researchers that it would not fix the flaw because it considered the users who would be affected by it to be ‘safe;’ Microsoft Outlook blocked the opening of the .mdb file format,  Exchange servers stripped .mdb files from incoming messages and Internet Explorer issued warnings when users clicked on such files.

And while this might have been true then, today there are new attack strategies being used by hackers. Symantec claims that attackers are doing an ‘end run’ around Outlook. Hackers use an attack vector that allows an attacker to load an .mdb file by opening a Word document.

According to Symantec, Microsoft should have fixed these flaws years ago. Microsoft appears to finally be listening; they have issued a security advisory warning users of Word for Windows 200, XP and Server 2003 SP1 to take defensive steps.

The MSRC is still trying to decide how it wants to patch the vulnerability. Reavey did not provide any details on the patch release, and last week information from MSRC indicated that the fix might be delivered as an “out of band” release (prior to the next scheduled general security scheduled update on April 8th).

In the meantime, until Microsoft releases the patch, Reavey urged users to either disable the Jet Database Engine or to block .mdb files at the gateway.

Last modified on Wednesday, 26 March 2008 09:12

David Stellmack

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
blog comments powered by Disqus

 

Facebook activity

Latest Commented Articles

Recent Comments