Results 1 to 2 of 2

Thread: M$ Jet db engine buffer overflow **0-DAY?**

  1. April 5th, 2005, 08:29 PM #1
    ric-o
    ric-o is offline
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    486

    M$ Jet db engine buffer overflow **0-DAY?**

    Appears to be another 0-day vulnerability released.

    I checked my files and while I am on Office 2003 (upgraded from XP) I have vulnerable 'msjet40.dll' files in my system32 directory...dont know if they are still used but if so Office 2003 is vulnerable as well even though it's not on the list.

    Here's the posting by the researcher:
    http://www.hexview.com/docs/20050331-1.txt

    Here's SecurityFocus' bid:
    http://www.securityfocus.com/bid/12960/info/

    Microsoft was notified on March 30, 2005. Message acknowledged by an automated reply. No human response received.
    This vulnerability was announced on March 31, 2005. Not trying to spark another disclosure debate but it would seem to me that giving a vendor 1 day notice before announcing your findings is a wee-bit too small.

    Doubt M$ will have enough time to get a patch ready for next Tuesday...but one could only hope.

    Thought you all should be aware.
    Reply With Quote Reply With Quote
  2. April 6th, 2005, 01:18 AM #2
    S3cur|ty4ng31
    S3cur|ty4ng31 is offline
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    On SecurityFocus they said this is a remote exploit but not local. Is that backwards?
    Now Im not familiar with Access but it would seem to me that the database file resides locally and a local acess is what causes the BOF. Unless you can remote the file in.
    That which does not kill me makes me stronger -- Friedrich Nietzche
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules