MS Database Engine Flaw Discovered

Security firm Secunia on Tuesday announced that it had uncovered a vulnerability within Microsoft's Jet Database Engine that could possibly compromise a user's system by allowing the attacker to excute malicious code hidden in an Access database (.mdb) file.

The firm labeled the flaw "highly critical," and said it affects Windows 2000 and XP Home and Professional operating systems, along with Access 2000, 2002, and 2003 databases.

A memory handling error occurs when the engine parses a .mdb database file. A hacker could exploit the vulnerability by tricking the user into executing the file, allowing it to run malicious code on the user's system.

According to Secunia, details of how to exploit this vulnerability have already circulated on a public mailing list, and the firm urged computer users to make sure they know the person who is sending the database files before opening them.

The vulnerability was confirmed on a fully patched version of both Windows XP SP1 and SP2 with Access 2003.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Office. We have been made aware that exploit code for this vulnerability has also been released," a company spokesperson told BetaNews. "We have not been made aware of any attacks attempting to use the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."