Microsoft Incompletely Patches JET Database Vulnerability
18.10.2018 securityweek
Vulnerebility

An out-of-bounds (OOB) write bug in the Microsoft JET Database Engine that could be exploited for remote code execution has been incompletely addressed with the latest Patch Tuesday security updates, 0patch says.

Tracked as CVE-2018-8423, the flaw was publicly revealed in late September, after Microsoft failed to provide a patch for it in the September 2018 Patch Tuesday set of updates. As 120 days had passed since the vendor was informed of the bug, Trend Micro's Zero Day Initiative (ZDI) shared the information publicly.

It didn’t take long before the first fix arrived. It wasn’t an official update, but a third-party micro-patch developed by 0patch, a community project that aims at resolving software vulnerabilities by delivering tiny fixes to users worldwide.

Last week, Microsoft delivered an official patch for the vulnerability, as part of its October 2018 Patch Tuesday, but it appears that the fix wasn’t complete, and only limited the vulnerability instead of fully addressing it, ACROS Security CEO Mitja Kolsek explains.

The micro-fixes from the community are designed in such a manner that they are immediately replaced by the official patches, when they become available. This is what happened last week as well, when the micro-patch released in late September was replaced by Microsoft’s update.

The bug was found to impact all Windows versions that use two specific variants of the msrd3x40.dll library. What Microsoft did last week was to deliver an entirely new version of that file to all of its users, thus rendering systems vulnerable once again.

The micro-patch is being applied to the affected library in memory, every time the module gets loaded in any running process. Because the DLL was replaced with a new version and its cryptographic hash also changed, the micro-patch ceased to work after applying the October 2018 Patch Tuesday update.

According to Kolsek, “Microsoft's October update actually re-opened the CVE-2018-8423 vulnerability for 0patch users who were previously protected by our micropatch.”

This determined the community to release another fix, which addresses the issue once again for all fully updated 32-bit and 64-bit Windows 10, Windows 8.1, Windows 7, Windows Server 2008 and Windows Server 2012 systems.

“We suspect all other affected Windows versions also share the same version of msrd3x40.dll, in which case the micropatch will apply there as well,” Kolsek notes.

Users who haven’t installed the October patches yet but do have the 0patch Agent installed and did apply the initial micropatch continue to be protected, Kolsek also points out.