Vulnerability Note VU#740716

Microsoft Jet Database Engine database request handling buffer overflow

Original Release date: 13 Apr 2004 | Last revised: 14 Apr 2004

Overview

The Microsoft Jet Database Engine (Jet) provides data access functionality to a number of other Microsoft and many third party applications. A buffer overflow vulnerability exists in the Jet Database Engine that could allow a remote attacker to execute code of their choosing on an affected system.

Description

A buffer overflow error exists in the way that a database request is processed by the Microsoft Jet Database Engine. This error results in a vulnerability that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system.

Impact

A remote attacker can execute arbitrary code of their choosing with the same privileges as the user context of the application using the Jet Database Engine. The attacker may be able to leverage these privileges to take complete control of an affected system. Microsoft lists secondary impacts including, but not limited to, installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.

Solution

Apply a patch from the vendor

Microsoft, Inc. has published Microsoft Security Bulletin MS04-014 in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-13 Apr 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Microsoft Security for reporting this vulnerability. Microsoft, in turn, credits Matt Thompson of Aberdeen IT for reporting this vulnerability to them.

This document was written by Chad R Dougherty based on information provided in Microsoft Security Bulletin MS04-014.

Other Information

  • CVE IDs: CAN-2004-0197
  • Date Public: 13 Apr 2004
  • Date First Published: 13 Apr 2004
  • Date Last Updated: 14 Apr 2004
  • Severity Metric: 12.83
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.