Fri. Jul 10th, 2020

Microsoft still has not completely solved the Microsoft JET database engine vulnerability

2 min read

Microsoft’s routine security update released this month has fixed multiple security issues in the system, but the Microsoft JET database engine vulnerability has not been completely fixed.

Long ago, Trend Micro Labs found that the Microsoft JET vulnerability was reported to Microsoft, but Microsoft still did not take the initiative to fix the bug in a few months.

Until last month, Trend Micro automatically disclosed the details of the vulnerability, forcing Microsoft to routinely update this month to fix security vulnerabilities in Microsoft JET.

September Patch Tuesday

Microsoft is only mitigating rather than completely fixing the vulnerability:

According to the latest analysis, security sources found that the Microsoft JET engine released by Microsoft to fix microcode can only mitigate the impact of the vulnerability.

The vulnerability has not been completely fixed, that is, it can still be used. Microsoft JET is a widely used document database engine.

An attacker can exploit the vulnerability of Microsoft JET to execute arbitrary code remotely, so the weakness is relatively severe regarding harm.

Microsoft’s fix destroys the researcher’s plan:

After the vulnerability was released last month, Acros Security has provided an interim patch that allows users to fix the database engine after installing the patch completely.

Unfortunately, Microsoft’s microcode update this time not only did not completely fix the vulnerability but also destroyed the fixes that Acros Security provided to users.

Acros Security said it would reopen the vulnerabilities that were fixed after installing Microsoft’s latest cumulative update, which has to be supposed to be ironic.

What exactly is Microsoft doing:

First, Trend Micro found the vulnerability to expose the weakness for four months altogether, that is, Microsoft did not fix the vulnerability in four months.

It’s hard to guess what Microsoft is doing is not fixing the vulnerability, but from this micro-code update, it can be seen that Microsoft seems to be in a hurry.

So if Microsoft didn’t have time to fix the vulnerability, it might be that there were other problems. Maybe Microsoft wanted to solve the problem once.