Microsoft patch for Jet Engine Database Zero-day Bug is ‘incomplete’, making Windows still vulnerable

• The vulnerability (CVE-2018-8423) is a memory corruption vulnerability, and could also allow remote code execution on a targeted computer.
• The official patch only limited the vulnerability but did not eliminate it.

Microsoft patch issued for zero-day in its JET Database Engine may not be a complete fix for the remote code execution vulnerability. The vulnerability (CVE-2018-8423) is a memory corruption vulnerability, and could also allow remote code execution on a targeted computer.

The vulnerability quoted as a zero-day was discovered by Trend Micro’s Zero Day Initiative (ZDI). The company swiftly notified Microsoft about the vulnerability. However, Microsoft did not patch the vulnerability for at least 135 days after Trend Micro’s notification.

ZDI did go public with the proof-of-concept for the vulnerability, as there was no response to its notification. However, earlier this week, Microsoft released a fix for the zero-day vulnerability along with its patch Tuesday updates. But the update does not offer a complete fix to the (CVE-2018-8423) vulnerability, said 0patch researchers.

About the vulnerability

The vulnerability occurs based on how the JET Database Engine handles malformed data in a database file. According to ZDI, the flaw exists within the management of indexes in JET. The vulnerability can be exploited when a booby-trapped JET database file is opened using OLEDB. OLEDB is an API designed by Microsoft and allows data to be accessed from an array of disparate sources in a uniform manner.

This consequently would cause a “write past the end of an allocated buffer,” i.e., a crash, which in turn would allow an adversary to execute code with the same privileges as the target machine’s legitimate user, said the report.

Patching and Micro-patching

When ZDI made a public disclosure of the vulnerability after 135 days without Microsoft having issued an official fix to the vulnerability, 0patch created a micro-patch for the use of its customers, taking into reference the ZDI proof-of-concept. 0patch security researchers also explained the micro-patch in a blog post.

Later, the official patch released by Microsoft on October 2018 monthly update was examined by 0patch researchers. As a result, the official fix was found to be slightly different from the micro-patch created by 0patch for their customers. The actual problem seems to be with one of Window’s core dynamic link libraries, “msrd3x40.dll.”

Mitja Kolsek, a researcher with the 0patch team said that “At this point, we will only state that we found the official fix to be slightly different to our micro patch, and unfortunately in a way that only limited the vulnerability instead of eliminating it.”

Vulnerability patch

0Patch did notify Microsoft about the vulnerability and said that it will await an official update from Microsoft before publishing the proof-of-concept report. However, there are no additional details from Microsoft at the time of writing this article.

Kolsek said 0patch has created a new micro-patch for the vulnerability. The micro-patch also fixes updated windows 10 (32-bit and 64-bit), Windows 8.1, Windows 7, Windows Server 2012, and other Windows versions that share the same version of msrd3x40.dll.