oPatch community released micro patches for Microsoft JET Database Zero-Day

0patch community released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative

Experts from 0patch, a community of experts that aims at addressing software flaws, released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability that Trend Micro’s Zero Day Initiative (ZDI) disclosed last week.

The Microsoft JET Database Engine flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

According to the ZDI’s disclosure policy, details on the vulnerability could be released 120 days after the vendor was notified on the issue, even if the flaw was still unpatched.

ZDI also published the proof-of-concept (PoC) exploit code for the vulnerability.

The 0patch community is known to develop tiny patches, usually less than 30 bytes in size, it released a fix within 24 hours after the public disclosure of the issue.

0patch experts were able to devise a security patch for the zero-day in less than 24 hours.

Experts from 0patch highlighted that the PoC code published by ZDI only works on 32-bit systems, instead, it would cause an error message on 64-bit systems, unless launched with wscript.exe.

The conditions that trigger the problem represent the starting point, the closest observable point of failure, for the analysis of the experts.

“As usually, we started our analysis from the closest observable point of failure and worked backward to the vulnerable code. Ideally, the “closest observable point of failure” is a process crash, and in this case, ZDI’s PoC indeed causes a crash in wscript.exe due to an attempt to write past the allocated memory block. So their PoC was perfect for us.” reads the analysis of the 0patch experts.

“(Not surprisingly, it’s easier for us to work with a crash case than a full blown calc-popping exploit.) Here’s how the crash looks like in WinDbg, with Page Heap enabled and invalid memory access in function TblPage::CreateIndexes:”

0patch released the micro-patch for Windows 7 just 7 hours after ZDI shared the PoC for the Windows Microsoft JET Database Engine zero-day.

Then the experts attempted to port the patch to other supported Windows versions, they noticed that almost all of them have the exact same version of msrd3x40.dll,  a circumstance that suggested them that the same micropatch would apply to all these systems.

The experts pointed out that there is only one Windows version that leverages a different msrd3x40.dll, it was Windows 10.

“The only Windows version with a different msrd3x40.dll was Windows 10: peculiarly, both DLLs had the same version and exactly the same size, but plenty of small differences between the two (including the link timestamp). The code was exactly the same and in the same place though (probably just a re-build), so we could actually use the exact same source code for the micropatch, just a different file hash.” continues the analysis.

The two micro patches for the Windows 0day were issued in less than 24 hours after the public disclosure of the technical details of the flaw.

“These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users’ computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities.” continues the analysis.

Users that want to get the micro patches just need to install and register the 0patch Agent, anyway it is strongly recommended to install Microsoft’s official updates when Microsoft will issue them.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – micro patches, Microsoft JET Database)

[adrotate banner=”5″]

[adrotate banner=”13″]