Zero-Day Exploits Target Microsoft Jet Flaw

March 27th, 2008 by JM Hipolito (Technical Communications)

Investigations are currently being conducted as reports of targeted attacks through an unpatched security flaw in Microsoft’s Jet Database Engine has surfaced.

This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.

The mentioned Word file also drops files that Trend Micro detects as the following:

TROJ_AGENT.TBS

TROJ_SMALL.EGV

BKDR_DARKMOON.AC

TSPY_KEYLOG.CF

The following sofware are vulnerable to this attack:

Microsoft Word 2000 Service Pack 3

Microsoft Word 2002 Service Pack 3

Microsoft Word 2003 Service Pack 2

Microsoft Word 2003 Service Pack 3

Microsoft Word 2007

Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000

Windows XP

Windows Server 2003 Service Pack 1

On the other hand, systems running under Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not affected by this vulnerability as they include a version of the Microsoft Jet Database Engine that is no longer vulnerable to this issue.

More information regarding this vulnerability can be found on this advisory from Microsoft:

Microsoft Security Advisory (950627)

The Microsoft Jet (Joint Engine Technology) Database Engine is the underlying building block of Microsoft’s databases (collections of information structured in a certain way) allowing the manipulation of relational database via a single interface.

Users are advised to keep their scan engines, applications and operating systems updated and to avoid clicking on attachments in spammed email messages.