The Active Network
ActiveWin Anonymous | Create a User | Reviews | News | Forums | Advertise | VBA in Excel | Users Online: 0  
 

neowin.net

Amazon.com

  *  

  Update: Microsoft admits it knew about, didn't patch, bugs
Time: 01:36 EST/06:36 GMT | News Source: ComputerWorld | Posted By: Kenneth van Surksum

Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors.

A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago.

In a post to the Microsoft Security Research Center (MSRC) blog late Monday afternoon, Mike Reavey, the MSRC's operations manager, admitted that outside researchers had notified Microsoft in 2005 and 2007 of separate bugs in Jet, a Windows component that provides data access to applications such as Microsoft Access and Visual Basic.

Read Only Comments
Return to News
  Displaying Comments 1 through 10 of 10
  This is an archived static copy of ActiveWin.com.
#1 By 15406 (216.191.227.68) at Wednesday, March 26, 2008 08:59:40 AM
Nice. So much for "responsible disclosure." You want a bug fixed? Make it public so that the vendor can't just sit on it for years.

#2 By 92283 (142.32.208.232) at Wednesday, March 26, 2008 12:15:06 PM
They were made public.

http://bardissi.wordpress.com/2007/11/19/public-and-unpatched-zero-day-microsoft-access-exploit-2/

"These new attacks, discussed in Friday’s security advisory, use the exact same vulnerability as was posted in a November 2007 full-disclosure posting by cocoruder. In fact, very little was changed about the file compared to cocoruder’s POC file which launched calc.exe. It uses the same column number overflow. Even as far back as March 2005, HexView posted a similar vulnerability in msjet40.dll column handling. You’ll notice that both the HexView and the cocoruder posting mention that they first submitted their samples to the MSRC, but the MSRC replied back that they would not address the issues via a security bulletin because any attempt to attack customers using these issues was heavily mitigated by the blocking mentioned earlier in this post."

This one is new.

"Everything changed with the discovery of this new attack vector that allowed an attacker to load an MDB file via opening a Microsoft Word document. The previous guidance does not work against this new attack."


mdb files are inherently dangerous because they execute code. You either cripple Access and every other program that uses JET, or you mitigate the attack options.

Microsoft has been mitigating the attack options.

#3 By 15406 (216.191.227.68) at Wednesday, March 26, 2008 01:54:50 PM
#2: Microsoft has been mitigating the attack options.

And, 3 years later, the problem is still there, ripe for the picking. Looks like their "mitigation" efforts were a waste of time. Too bad they didn't choose to just fix the bug instead.

#4 By 92283 (142.32.208.232) at Wednesday, March 26, 2008 02:17:44 PM
The "mitigation" fixes are the right thing to do because mdb files can be as dangerous as .exe files even without the bug.

The bug is fixed in Vista, W2K3SP2 and in XP SP3.

#5 By 15406 (216.191.227.68) at Wednesday, March 26, 2008 03:50:47 PM
#4: The "mitigation" fixes are the right thing to do because that's what Microsoft did.

Fixed your post for you.

#7 By 28801 (65.90.202.10) at Friday, March 28, 2008 10:59:38 AM
See Parker, this is where you run into credibility issues. Pointing out that competing software has security issues doesn't mitigate Microsoft's security problems. I think you were better off arguing the attack vector defense.


#8 By 92283 (142.32.208.232) at Friday, March 28, 2008 12:27:21 PM
#7 I guess pointing out the hypocrisy of the Microsoft haters AND offering a reason for Microsoft actions is too difficult for you to grasp?

#9 By 28801 (65.90.202.10) at Friday, March 28, 2008 12:34:35 PM
#8: Don't shoot the messenger! I'm kinda on your side here. I just don't see what FF bug fixes have to do with this thread. DO YOU???

#10 By 92283 (142.32.208.232) at Friday, March 28, 2008 04:16:52 PM
#9 Just puncturing Myths.

Myth 1: Firefox is more secure than IE

as the number of vulnerabilities added up and IE7 came out the myth changed

Myth 1a: Ok ... maybe not more secure. But the bugs get patched a lot quicker

Reality: Not really. In real life you can't fix every bug. Firefox chooses to not fix bugs for years too.

I think Microsofts efforts at mitigation (because mdb's are inherently dangerous anyway) was the right way to go.




 

  *  
  *   *
 
replica watches