Researcher Discloses Novel Zero-Day Affecting All Versions Of Windows

Influenza A virus subtype H5N1 safety researcher has publicly disclosed an unpatched zero-day vulnerability inwards all supported versions of Microsoft Windows operating organization (including server editions) afterwards the companionship failed to piece a responsibly disclosed põrnikas inside the 120-days deadline.

Discovered by Lucas Leong of the Trend Micro Security Research team, the zero-day vulnerability resides inwards Microsoft Jet Database Engine that could permit an assailant to remotely execute malicious code on whatever vulnerable Windows computer.

The Microsoft JET Database Engine, or but JET (Joint Engine Technology), is a database engine integrated inside several Microsoft products, including Microsoft Access together with Visual Basic.

According to the an advisory released past times Zero Day Initiative (ZDI), the vulnerability is due to a occupation amongst the administration of indexes inwards the Jet database engine that, if exploited successfully, tin displace an out-out-bounds retentivity write, leading to remote code execution.

An assailant must convince a targeted user into opening a particularly crafted JET database file inwards social club to exploit this vulnerability together with remotely execute malicious code on a targeted vulnerable Windows computer.

"Crafted information inwards a database file tin trigger a write past times the cease of an allocated buffer. An assailant tin leverage this vulnerability to execute code nether the context of the electrical flow process," Trend Micro's Zero Day Initiative wrote inwards its blog post.

"Various applications operate this database format. An assailant using this would hold upward able to execute code at the score of the electrical flow process."

According to the ZDI researchers, the vulnerability exists inwards all supported Windows versions, including Windows 10, Windows 8.1, Windows 7, together with Windows Server Edition 2008 to 2016.

ZDI reported the vulnerability to Microsoft on May 8, together with the tech giant confirmed the põrnikas on xiv May, but failed to piece the vulnerability together with unloosen an update inside a 120-day (4 months) deadline, making ZDI become populace amongst the vulnerability details.

Proof-of-concept exploit code for the vulnerability has every bit good been published past times the Trend Micro its GitHub page.

Microsoft is working on a piece for the vulnerability, together with since it was non included inwards September Patch Tuesday, you lot tin facial expression the educate inwards Microsoft's Oct piece release.

Trend Micro recommends all affected users to "restrict interaction amongst the application to trusted files," every bit a mitigation until Microsoft comes upward amongst a patch.