Unpatched flaw found in Microsoft software

Software maker investigates report of hole in Office and Access--and of published exploit code that could let attackers take control of PCs.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
Ina Fried
2 min read
Microsoft is investigating the report of a flaw that could open systems using its Access or Office software up to attack.

The vulnerability, which was not one of eight patched by Microsoft on Tuesday, is in the Jet database engine component, according to an advisory posted the same day by security company Secunia. It could enable an intruder to remotely execute malicious code on a vulnerable PC, Secunia said.

Microsoft has not confirmed the existence of the security hole, which potentially affects software including Microsoft Office and the Microsoft Access database program.

Secunia rated the problem "highly critical," noting that exploit code for the flaw had been shared on a public mailing list.

"The vulnerability is caused due to a memory handling error when...parsing database files," Secunia said in its advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access."

A Microsoft representative said on Tuesday that the company has not heard of any attacks on customers' systems using the unpatched security hole.

"We are aware of the exploit code that has been released," the Microsoft representative said, adding that the software maker would take appropriate action once it has completed its investigation of the problem.

The original alert regarding the flaw came from a security research firm called HexView, Secunia said.

Continuing an ongoing debate about when and how flaw finders should disclose vulnerabilities, Microsoft criticized the researchers for going public with the vulnerability, rather than privately contacting the software maker so a patch could be released when the flaw was disclosed.

"It is unfortunate that this researcher decided to post publicly," the Microsoft representative said.

HexView said in its own advisory that it notified Microsoft of the flaw on March 30, but had received no response.

A Microsoft representative said the company had no record of any contact from HexView before the flaw was publicized.

Word of the problem comes on the same day Microsoft released fixes for eight other flaws, several of them critical, and some of them revealed publicly for the first time in the company's monthly security bulletin.

CNET News.com's David Becker contributed to this report.