HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2005-93
Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability

Original Issue Date: October 6, 2005

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Access 2000
  • Microsoft Access 2002
  • Microsoft Access 2003
  • Microsoft Office 2000
  • Microsoft Office 2003 Professional Edition
  • Microsoft Office 2003 Small Business Edition
  • Microsoft Office 2003 Standard Edition

Overview

A vulnerability has been identified in Microsoft Jet Database Engine, which could be exploited by malicious user to execute arbitrary code on the affected system.

Description

Microsoft Jet database is a lightweight database widely used by MS Office applications. This vulnerability is caused due to an input validation error in Jet engine library (msjet40.dll) which handles the database files. To exploit this vulnerability an attacker could create a specially crafted .mdb file in Microsoft Access and convince the user to open the same.

It has also been observed that this vulnerability is being exploited by the Trojan called MSJet.gen which subsequently drops a backdoor named as backdoor.Hesive in the compromised systems.

Workaround

Do not open untrusted ".mdb" database files

Vendor Information

Microsoft Corporation
http://www.microsoft.com

References

Hexview
http://www.hexview.com/docs/20050331-1.txt

US CERT Vulnerability Note VU#176380
http://www.kb.cert.org/vuls/id/176380

Secunia
http://secunia.com/advisories/14896/

marc.theaimsgroup.com
http://marc.theaimsgroup.com/?l=bugtraq&m=111231465920199&w=2

Security Focus
http://www.securityfocus.com/bid/12960

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/
backdoor.hesive.html

CVE Name
CAN-2005-0944

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003