Microsoft issued critical updates Tuesday addressing remote code execution vulnerabilities in Microsoft Jet Database Engine version 4.0 that affects Microsoft Word. The software giant also addressed a flaw in its Malware Protection Engine, which experts say should be addressed immediately.
In MS08-026, Microsoft plugged a hole in its Jet Database Engine that was being actively exploited in targeted attacks in the wild. Microsoft said the Jet Database flaw allowed an attacker to open a Jet Database file from a Microsoft Word document or an email. In order for the vulnerability to be exploited, users would have to click on a link in an email message to navigate to a malicious website that contains a specially crafted Word file. The flaw allowed an attacker to gain the same user rights as the local user.
Microsoft's MS08-028 bulletin addresses a similar remote code execution vulnerability in the Jet Database Engine. An attacker could send a malicious database query through Visual Basic or a third party application using the database engine and gain access to a system. As a workaround before deploying the patch, companies can block .mdb files from being processed through email.
"These are the most critical. In real world environments Word documents are not blocked," said Jason Miller, the security data team manager, at Roseville, Minn.-based Shavlik Technologies. "It's going to be relatively easy to exploit this and now that it is more known, more people will probably be jumping on board with this."
A Word document doesn't even have to be opened for the exploit to work. An attacker can make it work using the preview pane in Outlook 2003 and 2007, he said.
"The two main attack vectors are going to be through email and through specially crafted Web pages as well," Miller said.
A vulnerability in Microsoft Malware Protection Engine is addressed in MS08-029. The update fixes a flaw labeled "moderate" by Microsoft. Specially crafted files can cause the protection engine software to stop responding and restart when it scans them. It can also cause an denial of service by causing large temporary files to fill the machine's hard drive.
"This one should be taken very seriously," said Don Leatham, director of solutions and strategy at Lumension Security. "From an organizational wide attack standpoint, this would be a very interesting denial of service attack internally launched against an organization."
Shavlik's Miller agreed. He said the update is extremely important since an active exploit could cause the protection engine to stop alltogether. Windows Defender and Windows Live OneCare are affected on individual machines, but Microsoft Antigen runs for an Exchange server, which serves critical applications, Miller said.
"This is a security product. A security product that's supposed to defend you against these things," Miller said.
A critical update to Microsoft Publisher 2000 was addressed in the MS08-027 bulletin. The update adds an Office Document Open Confirmation Tool warns users with a message to "Open", "Save", or "Cancel" before accessing a document via Internet Explorer. Later versions of Microsoft Publisher and Word already have the feature built-in.