M$ Jet db engine buffer overflow **0-DAY?**
Results 1 to 2 of 2

Thread: M$ Jet db engine buffer overflow **0-DAY?**

  1. #1
    oldie ric-o's Avatar
    Join Date
    Nov 2002

    M$ Jet db engine buffer overflow **0-DAY?**

    Appears to be another 0-day vulnerability released.

    I checked my files and while I am on Office 2003 (upgraded from XP) I have vulnerable 'msjet40.dll' files in my system32 directory...dont know if they are still used but if so Office 2003 is vulnerable as well even though it's not on the list.

    Here's the posting by the researcher:

    Here's SecurityFocus' bid:

    Microsoft was notified on March 30, 2005. Message acknowledged by an automated reply. No human response received.
    This vulnerability was announced on March 31, 2005. Not trying to spark another disclosure debate but it would seem to me that giving a vendor 1 day notice before announcing your findings is a wee-bit too small.

    Doubt M$ will have enough time to get a patch ready for next Tuesday...but one could only hope.

    Thought you all should be aware.

  2. #2
    Senior Member
    Join Date
    Jun 2003
    On SecurityFocus they said this is a remote exploit but not local. Is that backwards?
    Now Im not familiar with Access but it would seem to me that the database file resides locally and a local acess is what causes the BOF. Unless you can remote the file in.
    That which does not kill me makes me stronger -- Friedrich Nietzche

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts