An unpatched zero-day vulnerability that affects all versions of Windows including server editions have been revealed by a security researcher.
This vulnerability was discovered by Lucas Leong of the Trend Micro Security Research team and this flaw resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer.
The Microsoft JET Database Engine, or JET (Joint Engine Technology), is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic
According to an advisory released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution.
In order to exploit this vulnerability an attacker must persuade a targeted user to open a specially crafted JET database file and remotely execute malicious code on the targeted vulnerable Windows computer.
As per the ZDI researchers, the vulnerability exists in all supported Windows versions, including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016.
This vulnerability existed as the company failed to patch a responsibly disclosed bug within the 120-days deadline. ZDI reported the vulnerability to Microsoft on May 8, and the tech giant confirmed the bug on 14 May. However, they failed to patch the vulnerability and release an update which made ZDI release the details public.
A proof-of-concept exploit code for the vulnerability has been published by the Trend Micro in their GitHub page.
Now Microsoft is working on a patch for the vulnerability, and you can expect it in their October patch release.
All affected users are recommended to restrict interaction with the application to trusted files as a mitigation until Microsoft comes up with a patch.