Security researchers have disclosed an unpatched zero-day vulnerability which affects all supported version of Windows.
The vulnerability was publicly disclosed by Trend Micro researchers after Microsoft failed to patch the vulnerability within the 120 days deadline.
The vulnerability resides in JET Database Engine which could be exploited by attackers to execute malicious codes on any vulnerable windows systems remotely.
“The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.” said in the Advisory published by Zero Day Initiative (ZDI).
The zero-day vulnerability has a CVSS score of 6.8 and needs user interaction to exploit the vulnerability. The users need to click a malicious file or visit a malicious page to trigger the flaw.
According to ZDI experts reported the flaw to the Microsoft on May 8th,2018 and the company acknowledged back on the same day itself.
The researchers decided to go public after Microsoft failed to patch the vulnerability within the 120 days deadlines.
Researchers said the flaw exists in Windows 7 and all the supported version of Windows including server editions.
“Our investigation has confirmed this vulnerability exists in Windows 7, but we believe that all supported Windows version are impacted by this bug, including server editions. You can view our advisory here. Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources.” said in the post published by Zero Day Initiative.
You may be interested in reading:Hundreds of Indian Government Websites Hit with Cryptojacking Malware