Featured Articles

Intel takes credit for three-way 4K gaming

Intel takes credit for three-way 4K gaming

All of a sudden Intel is talking about desktop gaming like there is no tomorrow and it is pushing it. The…

More...
Nvidia Shield Tablet 32GB 4G LTE out for pre orders

Nvidia Shield Tablet 32GB 4G LTE out for pre orders

Nvidia has finally revealed the shipping date of its Shield Tablet 32GB in 4G LTE flavour and in case you pre-order…

More...
Apple announces its Apple Watch

Apple announces its Apple Watch

Apple has finally unveiled its eagerly awaited smartwatch and surprisingly it has dropped the "i" from the brand, calling it simply…

More...
Skylake 14nm announced

Skylake 14nm announced

Kirk B. Skaugen, Senior Vice President General Manager, PC Client Group has showcased Skylake, Intel’s second generation 14nm architecture.

More...
Aerocool Dead Silence reviewed

Aerocool Dead Silence reviewed

Aerocool is well known for its gamer cases with aggressive styling. However, the Dead Silence chassis offers consumers a new choice,…

More...
Frontpage Slideshow | Copyright © 2006-2010 orks, a business unit of Nuevvo Webware Ltd.
Wednesday, 26 March 2008 06:25

Microsoft failed to patch bugs it knew about

Written by David Stellmack

Image

Known since 2005


A security team from Microsoft Corporation has acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005, yet failed to patch the issues. They claim the reason for this is because they thought they had blocked the obvious attack vectors.

Mike Reavey, MSRC’s Operations Manager, admitted that researchers and others outside Microsoft had notified the company in both 2005 and 2007 of separate bugs in Jet (a Windows component providing data access to Visual Basic and Microsoft Access applications).

Microsoft apparently informed the researchers that it would not fix the flaw because it considered the users who would be affected by it to be ‘safe;’ Microsoft Outlook blocked the opening of the .mdb file format,  Exchange servers stripped .mdb files from incoming messages and Internet Explorer issued warnings when users clicked on such files.

And while this might have been true then, today there are new attack strategies being used by hackers. Symantec claims that attackers are doing an ‘end run’ around Outlook. Hackers use an attack vector that allows an attacker to load an .mdb file by opening a Word document.

According to Symantec, Microsoft should have fixed these flaws years ago. Microsoft appears to finally be listening; they have issued a security advisory warning users of Word for Windows 200, XP and Server 2003 SP1 to take defensive steps.

The MSRC is still trying to decide how it wants to patch the vulnerability. Reavey did not provide any details on the patch release, and last week information from MSRC indicated that the fix might be delivered as an “out of band” release (prior to the next scheduled general security scheduled update on April 8th).

In the meantime, until Microsoft releases the patch, Reavey urged users to either disable the Jet Database Engine or to block .mdb files at the gateway.

Last modified on Wednesday, 26 March 2008 09:12

David Stellmack

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
blog comments powered by Disqus

 

Facebook activity

Latest Commented Articles

Recent Comments