News

Exploit Targets Microsoft Access Database

Exploits continue to dog Microsoft programs and applications, as a government agency announced this week that a bug is in the wild that takes advantage of a flaw in Microsoft's Access Database.

The United States Computer Emergency Readiness Team (CERT), a subset of the U.S. Department of Homeland Security, issued an advisory stating that it has become aware of active exploitation using malicious databases, "to possibly install malware or other destructive viral programs."

A hack of the system through Access Database can happen if a database administrator or user opens an .mdb file -- the files most common in relational databases such as Access -- sent as an attachment through an e-mail message. If designed correctly, security experts say the malicious code can infiltrate the workstation running Access and run nefarious code with an elevated privilege level, effectively entering the network through a database.

Like many exploits, code execution in this case is contingent upon what's called buffer overflow, where a program such as Access would be attempting to store data beyond the boundary of fixed-length buffers configured by database administrators. The surplus data, like water spilling out a full cup, overwrites other memory locations causing a system crash and heightening the risks related to any vulnerability.

Security researchers last month discovered a similar buffer overflow bug in the Microsoft Jet DataBase engine, which is used to analyze and distribute Access files on database tables.

But the good news with the latest bug is that IT pros don't have to worry about it and aren't likely to see it unless they're also a database administrator.

"This .mdb file vector is more likely to be used in a targeted attack where the hacker knows the person opening the file is accustomed to using Access and sees these types of files often," said Marc Fossi, a manager at Symantec Security Response. "There have been similar issues in Access before, but on the plus side most people don't deal with these files and wouldn't recognize them."

Moreover, in most enterprise environments DBAs and other administrators are savvy enough to block this file type unless they know exactly where it's from. And in most cases, such files are blocked in both Microsoft Outlook and Internet Explorer.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.