A US-CERT advisory posted December 10 warns users to be wary of opening Microsoft Access Database (.MDB) files received in emails. A stack buffer overflow vulnerability caused by a specially crafted .MDB file can cause code to execute without requiring any user interaction. When exploited, the said vulnerability allows malicious users to install files on affected systems.
Trend Micro detects the exploit as HKTL_MDBEXP.A, which takes advantage of the Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability. Once this hacking tool has exploited a vulnerable target, malicious users can execute certain commands on an affected system. Research Project Manager Ivan Macalintal says it’s already being seen in Korea.
Although .MDB files are not usually seen by the common user, they are easily executed provided the user has Microsoft Access installed. Add a good deal of social engineering, and the user may be prompted to open the malicious .MDB file. Microsoft has also issued a warning that .MDB files are exclusively designed for executing commands, so users should be careful in accepting or downloading them, especially when these do not come from legitimate sources.
This is the second time this month an .MDB file was reported, the first one involved a Trojan which used a vulnerability to drop and execute other malicious files.
In this regard, US-CERT warns the public:
- Do not open attachments from unsolicited email messages
- Block high-risk file attachments at email gateways
Trend Micro couldn’t agree more. This warning extends not only to .MDB files, but to other attachments received via unsolicited mails as well.
Additional text by Roderick Ordoñez