__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in Microsoft Jet Database Engine (JET) [Microsoft Security Advisory (950627)] March 27, 2008 18:00 GMT Number S-238 ______________________________________________________________________________ PROBLEM: Microsoft is investigatin new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word. PLATFORM: Microsoft Jet Database Engine Microsoft Word 2007, 2003, 2002, 2000 Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 2 Microsoft Windows Server 2003 Service Pack 1 DAMAGE: Remote code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Remote to user code execution. ASSESSMENT: ______________________________________________________________________________ CVSS 2 BASE SCORE: 6.4 TEMPORAL SCORE: 6.4 VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:U/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-238.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/950627.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-1092 ______________________________________________________________________________ [***** Start Microsoft Security Advisory (950627) *****] Microsoft Security Advisory (950627) Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution Published: March 21, 2008 Microsoft is investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word. Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue. Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks. Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. At this time, we are aware only of targeted attacks that attempt to use this vulnerability. Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed. Customers who believe that they have been attacked can obtain security support at http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at www.ic3.gov. Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti- spyware software. Additional information can be found at: www.microsoft.com/protect. Mitigating Factors: • Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to this issue. • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. • In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's site. General Information Overview Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information, see the “Workarounds”, “Mitigating Factors”, and “Suggested Actions” sections of the security advisory. Advisory Status: The issue is currently under investigation. Recommendation: Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file. References Identification CVE Reference CVE-2008-1092 Microsoft Knowledge Base Article 950627 This advisory discusses the following software. Related Software Microsoft Jet Database Engine Microsoft Word 2007 Microsoft Word 2003 Microsoft Word 2002 Microsoft Word 2000 Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 2 Microsoft Windows Server 2003 Service Pack 1 Top of section Frequently Asked Questions What is the scope of the advisory? Microsoft is investigating new public reports of a vulnerability in the Microsoft Jet Database Engine that can be exploited through all supported versions of Microsoft Word. The vulnerability could result in remote code execution in the Microsoft Jet Database Engine. What is the Microsoft Jet Database Engine? The Microsoft Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications. Jet can also be used by Internet Information Services (IIS) applications that require database functionality. Is this a security vulnerability that requires Microsoft to issue a security update? Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on our customer needs. What causes this threat? This is a code execution vulnerability caused by a buffer overrun in msjet40.dll, the Microsoft Jet Database Engine. An attacker can exploit this vulnerability by convincing a user to open a Word file that is constructed to load the specially crafted database file using msjet40.dll. Of the versions of Microsoft Word that are associated with this advisory, which are vulnerable? While the vulnerable version of the Microsoft Jet Database Engine is delivered with Microsoft Windows 2000 Service Pack 4, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1, the advisory addresses versions of Microsoft Word as noted in the Related Software table above. If I have the Msjet40.dll file on my system, how do I know if I am vulnerable? If the version of Msjet40.dll is lower than 4.0.9505.0, you have a vulnerable version of the Microsoft Jet Database Engine. Top of section Suggested Actions • Protect Your PC We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your PC Web site. • For more information about staying safe on the Internet, customers should visit Microsoft Security Central. • Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. • All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit Microsoft Security Central. • We recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit MSN Messenger Frequently Asked Questions. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Workarounds Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. • Restrict the Microsoft Jet Database Engine from running. To implement the workaround, enter the following command at a command prompt: echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N To undo the workaround, enter the following command at a command prompt: echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /R everyone Impact of Workaround: Any application requiring the use of the Microsoft Jet Database Engine to make data access calls will not function. • Block MDB files from being processed through your mail infrastructure. Note All Jet database files should be treated as unsafe file types for common users and Microsoft recommends that database files transferred via e-mail be treated as suspicious. To implement this workaround your mail environment must support the ability to search for attachments containing a specific file structure (not just file extension) within an e-mail message and can then perform actions on the attachment such as delete, quarantine, notify, and report the detected file. To detect Jet files that have possibly been renamed to another file type, search for files with any of the following 15-byte signatures at location 0x4 (no quotes): "Jet System DB " "Standard Jet DB" "Temp Jet DB " "MSISAM Database" For configurations specific to Microsoft Exchange customers using Forefront (formerly Antigen) technologies, please visit http://technet.microsoft.com/en-us/library/bb795068.aspx for more information. This information has been shared with members of Microsoft Security Response Alliance (http://www.microsoft.com/security/msra/default.mspx). To utilize their tools to detect these files, please contact these providers as listed on the MSRA home page (http://www.microsoft.com/security/msra/default.mspx). Impact of Workaround: Files detected by this configuration will be blocked from processing through an organization’s e-mail system. • Do not open or save Microsoft Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file. Top of section Top of section Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • March 21, 2008: Advisory published [***** End Microsoft Security Advisory (950627) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update