The Google Project Zero security team publicly disclosed a remote code execution vulnerability affecting the Microsoft Jet database engine on September 20. This vulnerability is considered to affect all supported versions of Windows (including server versions) and has not been patched as of the date of this release.
The Google team said they had followed their disclosure process and that Microsoft has exceeded the 120-day vulnerability disclosure deadline.
The vulnerability is an out-of-bounds (OOB) write vulnerability that can be triggered by opening a Jet data source via OLEDB:
Security researchers say there is a flaw in index management in the Jet database engine. If utilised, it may result in remote code execution in the context of the current user. However, the precondition for triggering a vulnerability is that the user needs to open a malicious file containing Jet database information.
It is reported that Google reported this vulnerability to Microsoft on May 8, and Microsoft also resolved two separate buffer overflow vulnerabilities affecting Jet in the latest patch, but the fix for the vulnerability was not released.