INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A buffer overfun vulnerability exists in the Microsoft Jet Database Engine (JET) that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. |
| PLATFORM: | Windows 2000 (all editions) Windows XP (all editions) Windows Server 2003 (all editions) Storage Management Appliance (SMA) I, II, III |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate verison. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
7.5 5.9 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-290.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS08-028.mspx |
| ADDITIONAL LINK: | Visit Hewlett-Packard's Subscription Service for: HPSBST02336 SSRT0800871 rev. 1 |
| CVE: | CVE-2007-6026 |
REVISION HISTORY:
05/20/2008 - revised S-288 to add a link to Hewlett-Packard's Subscription Service for
HPSBST02336 SSRT0800871 rev. 1 for Storage Management Appliance (SMA) I,
II, III.
06/05/2008 - revised S-290 to reflect changed Microsoft has made in MS08-028 where
they added a link to Microsoft Knowledge Base Article 950749 under Known
Issues in the Executive Summary.
07/29/2008 - revised S-290 to reflect changed Microsoft has made in MS08-028 where
they removed the link to Microsoft Knowledge Base Article 950749 under
Known Issues in the Executive Summary.
[***** Start Microsoft Security Bulletin (MS08-028) *****]
Version: 1.3
This security update resolves a security vulnerability in the Microsoft Jet Database Engine (Jet) in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for the Microsoft Jet 4.0 Database Engine. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by modifying the way that the Microsoft Jet Database Engine parses data within a database. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 950627. In addition to installing this update, we recommend that customers with Microsoft Word also install the updates provided in Microsoft Security Bulletin MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207) for the most up-to-date protection of the attack vector for these types of attacks.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Operating System | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
Windows XP Service Pack 2 |
Remote Code Execution |
Critical |
None |
|
Windows XP Professional x64 Edition |
Remote Code Execution |
Critical |
None |
|
Windows Server 2003 Service Pack 1 |
Remote Code Execution |
Critical |
None |
|
Windows Server 2003 x64 Edition |
Remote Code Execution |
Critical |
None |
|
Windows Server 2003 with SP1 for Itanium-based Systems |
Remote Code Execution |
Critical |
None |
* These operating systems are delivered with the affected version of Jet, specifically the file msjet40.dll, with a version lower than 4.0.9505.0. See also the FAQ subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Non-Affected Software
| Operating System | Component |
Windows XP Professional x64 Edition Service Pack 2 |
Microsoft Jet 4.0 Database Engine** |
Windows XP Service Pack 3 |
Microsoft Jet 4.0 Database Engine** |
Windows Server 2003 Service Pack 2 |
Microsoft Jet 4.0 Database Engine** |
Windows Server 2003 x64 Edition Service Pack 2 |
Microsoft Jet 4.0 Database Engine** |
Windows Server 2003 with SP2 for Itanium-based Systems |
Microsoft Jet 4.0 Database Engine** |
Windows Vista and Windows Vista Service Pack 1 |
Microsoft Jet 4.0 Database Engine** |
Windows Vista for x64-based Systems and Windows Vista Service Pack 1 for x64-based Systems |
Microsoft Jet 4.0 Database Engine** |
Windows Server 2008 for 32-bit Systems |
Microsoft Jet 4.0 Database Engine** |
Windows Server 2008 for x64-based Systems |
Microsoft Jet 4.0 Database Engine** |
Windows Server 2008 for Itanium-based Systems |
Microsoft Jet 4.0 Database Engine** |
** These operating systems are delivered with the non-affected version of Jet, specifically the file msjet40.dll, with a version equal to or higher than 4.0.9505.0. See also the FAQ subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Severity Ratings and Vulnerability Identifiers |
Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability - CVE-2007-6026 |
Security Update Deployment |
* Windows 2000 (all editions)
* Windows XP (all editions)
* Windows Server 2003 (all editions)
Microsoft thanks the following for working with us to help protect customers:
| • | CERT/CC for reporting the issue - CVE-2007-6026 |
| • | ISC/SANS for reporting the issue - CVE-2007-6026 |
| • | Aaron Portnoy of TippingPoint DVLabs for reporting the issue - CVE-2007-6026 |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (May 13, 2008): Bulletin published. |
| • | V1.1 (May 28, 2008): Added entry to Update FAQ to clarify that CVE-2005-0944 was also addressed by this update. |
| • | V1.2 (June 4, 2008): Added a link to Microsoft Knowledge Base Article 950749 under Known Issues in the Executive Summary. |
| • | V1.3 (July 16, 2008): Removed link to Microsoft Knowledge Base Article 950749 under Known Issues in the Executive Summary. |
[***** End Microsoft Security Bulletin (MS08-028) *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/