|
|
|
|
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/ms08-028.mspx
|
| |
Affected Software:
* Microsoft Windows 2000 Service Pack 4 - Microsoft Jet 4.0 Database Engine - Remote Code Execution - Critical - MS04-014
* Windows XP Service Pack 2 - Microsoft Jet 4.0 Database Engine - Remote Code Execution - Critical - None
* Windows XP Professional x64 Edition - Microsoft Jet 4.0 Database Engine - Remote Code Execution - Critical - None
* Windows Server 2003 Service Pack 1 - Microsoft Jet 4.0 Database Engine - Remote Code Execution - Critical - None
* Windows Server 2003 x64 Edition - Microsoft Jet 4.0 Database Engine - Remote Code Execution - Critical - None
* Windows Server 2003 with SP1 for Itanium-based Systems - Microsoft Jet 4.0 Database Engine - Remote Code Execution - Critical - None
Non-Affected Software:
* Windows XP Professional x64 Edition Service Pack 2 - Microsoft Jet 4.0 Database Engine
* Windows XP Service Pack 3 - Microsoft Jet 4.0 Database Engine
* Windows Server 2003 Service Pack 2 - Microsoft Jet 4.0 Database Engine
* Windows Server 2003 x64 Edition Service Pack 2 - Microsoft Jet 4.0 Database Engine
* Windows Server 2003 with SP2 for Itanium-based Systems - Microsoft Jet 4.0 Database Engine
* Windows Vista and Windows Vista Service Pack 1 - Microsoft Jet 4.0 Database Engine
* Windows Vista for x64-based Systems and Windows Vista Service Pack 1 for x64-based Systems - Microsoft Jet 4.0 Database Engine
* Windows Server 2008 for 32-bit Systems - Microsoft Jet 4.0 Database Engine
* Windows Server 2008 for x64-based Systems - Microsoft Jet 4.0 Database Engine
* Windows Server 2008 for Itanium-based Systems - Microsoft Jet 4.0 Database Engine
Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability - CVE-2007-6026
A buffer overrun vulnerability exists in the Microsoft Jet Database Engine (Jet) that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Mitigating Factors for Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability - CVE-2007-6026
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's site.
* Systems that use Microsoft Outlook 2003 and 2007 as their e-mail client can mitigate the HTML email vector for Outlook 2007 by configuring mail to be read in plain text only.
* Systems running all supported editions of Windows XP Service Pack 3, Windows Server 2003 Service Pack 2, Windows Vista, and Windows Server 2008 are not affected by this vulnerability.
Workarounds for Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability - CVE-2007-6026
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
* Restrict the Microsoft Jet Database Engine from running for any application
To implement the workaround, enter the following command at a command prompt:
echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N
Impact of workaround. Any application requiring the use of the Microsoft Jet Database Engine to make data access calls will not function.
How to undo the workaround. Enter the following command at a command prompt
echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /R everyone
* Use group policy to restrict the Microsoft Jet Database Engine from running for any application
To implement the workaround, perform the following steps:
1. Create the following script, named JetCacls.cmd for illustration:
@echo off
if exist %systemdrive%\Cacls.log goto end
cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N > nul 2>&1
echo %date% %time%: Msjet Cacls updated > %systemdrive%\Cacls.log
:end
exit
2. Copy JetCacls.cmd to the Netlogon shared folder, or another shared folder on the domain controller from which JetCacls.cmd would run.
3. Set up JetCacls.cmd. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
4. Click the Group Policy tab.
5. Click New to create a new Group Policy object (GPO), and enter JetCacls for the name of the policy.
6. Click the new policy, and then click Edit.
7. Expand Windows Settings for Computer Configuration, and then click Scripts.
8. Double-click Logon, and then click Add. The Add a Script dialog box appears.
9. Type \\servername\sharename\JetCacls.cmd in the Script Name box.
10 Click OK, and then click Apply.
11. Then restart the client computers that are members of this domain.
Impact of workaround. Any application that requires the use of the Microsoft Jet Database Engine to make data access calls will not function. This restriction only applies to applications that are running on client computers in the domain.
* Block MDB files from being processed through your mail infrastructure
Note All Jet database files should be treated as unsafe file types for common users and Microsoft recommends that database files transferred via e-mail be treated as suspicious.
To implement this workaround, your mail environment must support the ability to search for attachments containing a specific file structure (not just the file extension) within an e-mail message and then perform actions on the attachment such as delete, quarantine, notify, and report the detected file.
To detect Jet files that have possibly been renamed to another file type, search for files with any of the following 15-byte signatures at location 0x4 (no quotes):
"Jet System DB "
"Standard Jet DB"
"Temp Jet DB "
For configurations specific to Microsoft Exchange customers using Forefront (formerly Antigen) technologies, please see Microsoft Forefront Server Security: File Filtering for more information.
This information has been shared with members of Microsoft Security Response Alliance. To utilize the MSRA tools to detect MDB files, please contact the providers as listed on the MSRA home page.
Impact of Workaround. Files detected by this configuration will be blocked from processing through an organization s e-mail system.
* Configure Outlook 2007 to read mail in plain text.
* Do not open or save Jet or Microsoft Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
CVE Information:
CVE-2007-6026
|
|
|
|
|
