(Click here for a larger view of MSJet40.dll version information)The update provides a new version of MSJet40.dll, the Jet database engine that provides data access to applications such as Microsoft Access and Visual Basic. In security advisory
950627, first published on Mar. 21 and updated on May 13, Microsoft acknowledged that a weakness in the way Jet parses data could allow an attacker to take "complete control of an affected system," installing programs, creating accounts, and manipulating data.
Attacks would occur via specially crafted files using Microsoft's Access' .MDB file format. "Specifically, customers with Microsoft Office could be at risk to e-mail or direct download attack scenarios. For example, an attacker could exploit the vulnerability by sending a Word file with a specially crafted .MDB file embedded in it to the user, then convincing the user to open the document or view the e-mail," the company said.
In the March bulletin, Microsoft confirmed that such attacks had occurred in the wild. According to reports by our sister publication
eWEEK.com, .MDB-based exploits of the Jet engine have taken place dating back as far as 2005. Reportedly, however, Microsoft did not provide updates to MSJet40.dll earlier because it believed that it had already blocked likely attack vectors. For example, Internet Explorer and Outlook were set to block .MDB files.
Users of Windows Vista, Windows Server 2003 SP2, and Windows XP Service Pack 3 (SP3), are not vulnerable to the bug because they already include versions of MSJet40.dll equal to or higher than 4.0.9505.0. As of today, for example, XP SP3 comes with 4.0.9511.0 (as shown in the picture above).
Windows XP Embedded (XPe) is, of course, inherently resistant to attacks, thanks to features such as the
Enhanced Write Filter, which allows for a device to be returned to its default condition whenever it is restarted. Nonetheless, Microsoft recommends installing the update, which is designed for use with XPe's Desktop QFE Installer (DQI) Tool.
To download the update, access Microsoft's Mobile & Embedded Communications Extranet (ECE),
here (a user name and password are required). To see earlier coverage of the .JET database vulnerability on
eWEEK.com, go
here,
here, and
here.
Related stories:
