April 12, 2005 4:43 PM PDT

Unpatched flaw found in Microsoft software

Microsoft is investigating the report of a flaw that could open systems using its Access or Office software up to attack.

The vulnerability, which was not one of eight patched by Microsoft on Tuesday, is in the Jet database engine component, according to an advisory posted the same day by security company Secunia. It could enable an intruder to remotely execute malicious code on a vulnerable PC, Secunia said.

Microsoft has not confirmed the existence of the security hole, which potentially affects software including Microsoft Office and the Microsoft Access database program.

Secunia rated the problem "highly critical," noting that exploit code for the flaw had been shared on a public mailing list.

"The vulnerability is caused due to a memory handling error when...parsing database files," Secunia said in its advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access."

A Microsoft representative said on Tuesday that the company has not heard of any attacks on customers' systems using the unpatched security hole.

"We are aware of the exploit code that has been released," the Microsoft representative said, adding that the software maker would take appropriate action once it has completed its investigation of the problem.

The original alert regarding the flaw came from a security research firm called HexView, Secunia said.

Continuing an ongoing debate about when and how flaw finders should disclose vulnerabilities, Microsoft criticized the researchers for going public with the vulnerability, rather than privately contacting the software maker so a patch could be released when the flaw was disclosed.

"It is unfortunate that this researcher decided to post publicly," the Microsoft representative said.

HexView said in its own advisory that it notified Microsoft of the flaw on March 30, but had received no response.

A Microsoft representative said the company had no record of any contact from HexView before the flaw was publicized.

Word of the problem comes on the same day Microsoft released fixes for eight other flaws, several of them critical, and some of them revealed publicly for the first time in the company's monthly security bulletin.

CNET News.com's David Becker contributed to this report.

5 comments

Join the conversation!
Add your comment
Flaw in MS argument
Normally, I would agree with MS when flaws are publicly announced prior to a work-around fix...

HOWEVER, this flaw is already well known among the HACKER community, and with a working code already in circulation, I'd say that Secunia didn't do anything wrong by letting the rest of us know about it.

Their action helped "even" the uneven playing field in this case.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
typical
This is typical behavior in Microsoft.

They would rather not have these sorts of things made public so they can ignore it and fix it at their discretion.

Perhaps they should turn their attention away from a legit security alert and place it on the programmers who made this amatuer error. There is simply no excuse for memory handling errors. They are easily avoided with a bit of attention to detail.
Posted by pcLoadLetter (395 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.