Another unpatched vulnerability in MS Access
An exploit for a previously undocumented vulnerability in MS Access is available on the internet. According to antivirus software vendor Panda, one keylogger is already exploiting the vulnerability. An initial analysis by Panda points to a bug in the Access Jet Engine that can be exploited to inject code and execute it with the user's privileges. For an attack to succeed, the victim needs to open an mdb file using a vulnerable version of Access.
The report notes that no update is available. Microsoft has no plans to fix the problem. In response to its enquiry, Panda has been told that mdb files are intrinsically unsafe and are blocked by both Internet Explorer and Outlook. A Microsoft knowledge base article states that "Examples (of unsafe file types) are file types that allow for embedded script operations, such as Microsoft Access files (*.mdb) or macros in Microsoft Word files (*.doc) or in Microsoft Excel files (*.xls)."
The article continues "Sometimes, Microsoft receives reports of purported security vulnerabilities because of the ability of unsafe file types to perform malicious actions. Microsoft evaluates these reports on a case-by-case basis. However, Microsoft does not categorize a specific file type as a vulnerability merely because someone used the file type for malicious purposes."
In principle Microsoft is correct. However this particular problem is not based on execution of scripts or SQL commands from within files, but on a vulnerability in the application itself that allows direct execution of code. Deactivating macros in Excel and Word will offer only limited assistance in the case of a vulnerability in the document parser. A similar vulnerability in Access was discovered last November, and was being actively exploited shortly after. No patch is currently available.
- New MS Access exploit, report from Panda
- An overview of unsafe file types in Microsoft products, knowledge base article from Microsoft