New buffer overrun exploit threatens old Jet database engine on XP
A few weeks after a security laboratory found what it claimed to be an unchecked relationship between an old database provider and Word, Microsoft indicated that someone out there may still be trying this old attack vector.
It's such an old style of attack that you might rationally wonder why anyone would still be targeting specific computers with it, unless they're really trying to prove a point about their old software. But late Friday, Microsoft said it was informed of a targeted buffer overflow attack that involves the Jet database engine and any version of Microsoft Word dating back to Word 2000 Service Pack 3, on up to Word 2007, running on older operating systems: Windows XP, Windows 2000, and Windows Server 2003 SP1.
What may actually be the case is the discovery by security researchers Panda Labs earlier this month of an unchecked security hole with regard to how Word communicates with database files engineered for older versions of Microsoft Access. Though .MDB files were once considered "Access files," it was Microsoft's intent through the latter half of the 1990s to elevate them into the all-around database file format for all of Windows.
During that time period, the Jet database engine was supplied by Windows as an underlying database management system that, while having no frills and being far from versatile, could still parse some SQL queries relationally. Microsoft's answer to the problem of enabling uniform access to .MDB files from most any program was to essentially make .MDB files executable. This way, they could bypass the ODBC driver connection necessary for such things as Oracle and FoxPro database files, and go directly to the source, as it were.
It was easily one of Microsoft's worst design decisions from a security standpoint, which the company now freely admits in this September 2007 Knowledgebase post, which advises that customers simply refrain from using .MDB files. Certainly Access has already done so, but for downward compatibility purposes mainly, the Jet database engine is still supplied with Windows. It's been patched several times for XP, and in Windows Vista, it has numerous additional safeguards.
Many of the safeguards in place for XP and earlier systems help protect against Access, specifically, triggering the type of buffer overflow exploit discovered by Panda and analyzed by Symantec a few weeks later. But the Word/Jet relationship isn't as closely monitored.
As was learned several years ago during the spread of the ILOVEYOU virus through Outlook, the most direct way to mask an executable, malicious payload is by changing its filename extension. Here again, the costliness of Microsoft's 1990s architecture is realized; but this exploit is still a little tricky. Word has to not only be already running, but must have a VBA macro that can trigger the malicious payload from the renamed .MDB file, received separately. Then something in the document has to compel the victim to launch that file -- some other kind of "Please launch me!" message, with which businesses continue to be barraged anyway.
So for the victim, triggering the payload is not a one-step process. In any event, it appears someone may have been inspired by Panda's research and is trying the exploit anyway. In one sense, this could be a good sign: If malicious users are stuck with old, second rate Jet buffer overflows, perhaps much of the low-hanging fruit for Vista-related exploits may already have been taken.