March 22, 2008

MsJet40.dll cancer !

No it`s not about making fun of a random DLL name from Microsoft . It`s about ANOTHER vulnerability in mentioned library , and yes , again , no fix from vendor for this specific affected library . I`m going to believe that MsJet40.ll is suffering from some kind of killer cencer that Microsoft think it`s useless to waste money for fixing it .

Since 2005 ( actually 2004 , counting MS04-14 ) this is the 4th time and interestingly 4th attack vector discovery over this library , this time triggering from Microsoft Word suite. Every time a new vector is discovered and reported to MS , the answer is something like "Since MDB files are considered insecure and users should not trust them ...blah blah blah.... Microsoft is not going to release any hotfix for this vulnerability " . Previous attack vectors were triggered by malicious .mdb files and end users were left with above answer . let`s see if .doc change anything about this old sick library . Based on advisory ( I don`t trust MS notes about this specific case! ) Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are immune against THIS ISSUE as these versions use newer version of library *** .
Somebody please confirm that "this issue" really means "this issue" , not other known issues !
A quick search reveals some of old known vectors , however given result is not complete . try your own Google foo ( be sure covering chines sites ) and get even more results :)

So , how serious is it really ? well to give you the idea , if we include this new vector to old bag of tricks against this library , no matter which version of Microsft Office/Word >=2000 you`re running , you`re vulnerable . To make it even more cool , not like some other Office vulnerabilities limiting attackers to minor versions of software in their shot , some ( if not all ) vulnerabilities reported for this library let attackers target major version of software . This means a single shot for entire patch levels of Word/office 2000 , or a single shot covering any 2003 release from SP0 to SP3 . I`ve not personally tested 2007 version of packages but I assume same results will apply for Office 2007 . And last good news about level of risk : full technical details on exploiting flaws among reliable exploits using magical return offsets are publicly accessible since 2006. Now relax :-)

*** I`m double warning here. Microsoft is talking about the new vector . I`ve not confirmed mentioned immune platforms with OLD vectors , so they may still be vulnerable to old attack vectors , although being immune to the new vector . Leave a comment if you`ve confirmed them being secure or still vulnerable .

[ Updated 16 May 2008]

Microsoft seems finally decided to PATCH the sick library !
Let`s hope new vector for exploiting this library don`t pop up soon.