News

Exploit Code Published for Unpatched Office Flaw

Security researchers this week reported a flaw in the memory handling of the Microsoft Jet Database Engine that powers the Microsoft Office Access database. An attacker could use the flaw to remotely take control of a compromised system, according to HexView, a security firm that discovered the flaw.

A necessary precursor for attackers to use the flaw, called an exploit, has already been released.

The Microsoft Security Response Center is investigating the report. "[They] have been made aware that exploit code for this vulnerability has also been released. Microsoft has not been made aware of any attacks attempting to use the reported vulnerabilities or customer impact at this time, but are aggressively investigating the public reports," a Microsoft spokesperson said Thursday.

A patch could be released before Microsoft's next scheduled monthly patch release on May 10, the spokesperson said.

HexView rated the flaw "highly critical," which is the second-most serious rating in the firm's five-level rating system. Secunia, a security firm that tracks unpatched vulnerabilities across many operating systems and products, said the vulnerability had been confirmed on a fully patched system running Microsoft Access 2003. The firm said the flaw could affect Access 2000, Access 2002, Office 2000 and Office 2003.

HexView said it notified Microsoft about the flaw on March 30 and received only an automated reply from Microsoft.

Microsoft disputed HexView's account. "The MSRC has found no record of the finder contacting them with this report. As is a standard MSRC practice, they have outreached to the finder to try and work with them to learn more about the vulnerability and in turn be able to provide customers with the appropriate solution," the Microsoft spokesperson said. "Microsoft is concerned that this new report of a vulnerability in Microsoft Office was not disclosed responsibly, potentially putting computer users at risk."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Nebula

    Ahead of AGI, Microsoft and OpenAI Redefine Their Partnership

    In a recapitalization announced Tuesday, OpenAI has launched a new public benefit corporation (PBC) called OpenAI Group, giving Microsoft a 27 percent ownership stake valued at approximately $135 billion.

  • Veeam Acquires Securiti AI To Unify Data Resilience and AI Security

    Veeam Software is making a strategic move into AI and data security by acquiring Securiti AI for $1.7 billion.

  • Microsoft Adds 'Mico' Virtual Assistant to Copilot in Major Fall Update

    In a significant feature update, Microsoft on Thursday said it is reshaping its Copilot AI platform with features that deepen user personalization and enable real-time group collaboration, among other perks.

  • Nutanix Partner Central Rolls Out To Boost Channel Engagement

    Nutanix on Wednesday launched a new platform, Partner Central, to give its channel partners a unified digital workspace for managing sales, tracking incentives and collaborating more effectively.

Most   Popular