Featured Articles

Intel releases tiny 3G cell modem

Intel releases tiny 3G cell modem

Intel has released a 3G cellular modem with an integrated power amplifier that fits into a 300 mm2 footprint, claiming it…

More...
Braswell 14nm Atom slips to Q2 15

Braswell 14nm Atom slips to Q2 15

It's not all rosy in the house of Intel. It seems that upcoming Atom out-of-order cores might be giving this semiconductor…

More...
TSMC 16nm wafers coming in Q1 2015

TSMC 16nm wafers coming in Q1 2015

TSMC will start producing 16nm wafers in the first quarter of 2015. Sometime in the second quarter production should ramp up…

More...
Skylake-S LGA is 35W to 95W TDP part

Skylake-S LGA is 35W to 95W TDP part

Skylake-S is the ‘tock’ of the Haswell architecture and despite being delayed from the original plan, this desktop part is scheduled…

More...
Aerocool Dead Silence reviewed

Aerocool Dead Silence reviewed

Aerocool is well known for its gamer cases with aggressive styling. However, the Dead Silence chassis offers consumers a new choice,…

More...
Frontpage Slideshow | Copyright © 2006-2010 orks, a business unit of Nuevvo Webware Ltd.
Wednesday, 26 March 2008 06:25

Microsoft failed to patch bugs it knew about

Written by David Stellmack

Image

Known since 2005


A security team from Microsoft Corporation has acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005, yet failed to patch the issues. They claim the reason for this is because they thought they had blocked the obvious attack vectors.

Mike Reavey, MSRC’s Operations Manager, admitted that researchers and others outside Microsoft had notified the company in both 2005 and 2007 of separate bugs in Jet (a Windows component providing data access to Visual Basic and Microsoft Access applications).

Microsoft apparently informed the researchers that it would not fix the flaw because it considered the users who would be affected by it to be ‘safe;’ Microsoft Outlook blocked the opening of the .mdb file format,  Exchange servers stripped .mdb files from incoming messages and Internet Explorer issued warnings when users clicked on such files.

And while this might have been true then, today there are new attack strategies being used by hackers. Symantec claims that attackers are doing an ‘end run’ around Outlook. Hackers use an attack vector that allows an attacker to load an .mdb file by opening a Word document.

According to Symantec, Microsoft should have fixed these flaws years ago. Microsoft appears to finally be listening; they have issued a security advisory warning users of Word for Windows 200, XP and Server 2003 SP1 to take defensive steps.

The MSRC is still trying to decide how it wants to patch the vulnerability. Reavey did not provide any details on the patch release, and last week information from MSRC indicated that the fix might be delivered as an “out of band” release (prior to the next scheduled general security scheduled update on April 8th).

In the meantime, until Microsoft releases the patch, Reavey urged users to either disable the Jet Database Engine or to block .mdb files at the gateway.

Last modified on Wednesday, 26 March 2008 09:12

David Stellmack

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
blog comments powered by Disqus

 

Facebook activity

Latest Commented Articles

Recent Comments