Not long ago, a security flaw called zero-day is discovered by a user on Twitter in August, 2018. It is located in the Windows Task Scheduler which leaves chances for malware or malicious people to get control over system. Recently, Windows has released patch to fix it, but the result is till unsatisfied.
Though Microsoft has reacted recently to fix the zero-day flaw found in August this year, this is not enough. Researchers of this flaw have warned that the official patch offered by Microsoft was actually “incomplete”. That is to say, the action of patching zero-day vulnerability in Microsoft’s JET Database Engine is not so successful.
Till now, Windows users are still not fully protected; the fix provided by Microsoft Windows during the October 2018 Patch Tuesday is only able to limit the vulnerability, doesn’t eliminate it completely. That is to say, the zero-day vulnerability is still open to attacks.
Microsoft Failed in Patching Zero-day Vulnerability
It is said that Microsoft failed to patch the zero-day bug within the 120-day disclosure timeline; then, this flaw led to the remote code execution in September, 2018. Since the JET Database Engine is included in all versions of Windows, a micropatch was offered by 0patch within one day (24 hours). Then, Microsoft was informed that no further details or proof-or-concept will be exposed until a correct fix has been released.
It is said that Microsoft has ended up in failure in terms of patching the zero-day flaw in due time; that’s why they are willing to make this issue public. It is advisable for users and companies to take actions themselves to avoid any exploitation attempts. There’s a good choice for them – configuring a micropatch before the proper fix has been finally revealed by Microsoft.
Influences of Zero-day Vulnerability
The Breach Has Affect About 30,000 Workers
The modern weapons systems of the Pentagon are said to be easy to fail victim to hackers. This fact was discovered by the public recently. A few days after that, Pentagon has admitted the breach of Department of Defense (DoD) travel records, which were said to bring damage to the information and credit card data of about 30,000 workers (military and civilian personnel).
If your files get missing after a virus attack, please take measures to recover them immeditaly:
What’s more, the number of people under the influence of the breach may be increasing with the expanding of investigation, according to the Associated Press (a U.S.-based not-for-profit news agency headquartered in New York City).
More Than 9 Million Devices Are Open to Remote Attack
Sec Consult said that flaws were detected on millions of security cameras, DVRs, and NVRs, which may allow the remote control over the devices by attackers easily. Please be cautious since you may have one of those devices and not realize it. Researchers also said that there haven’t been proper mitigations provided for the devices vulnerable to RCE via “XMeye P2P Cloud”.
Access Tokens of 30 Million Facebook Users Are Stolen
Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.– said by Facebook Team in the update about the “View As” bug
The post also explains in detail how hackers have done such work successfully.
About JET Engine
To be honest, the JET Engine was the first time Microsoft has stepped into database technology. Developed and released in the 90s, the JET Engine has been applied to support various Microsoft apps; some of the most famous are:
- Access
- IIS 3.0
- Visual Basic
- Microsoft Project
Later, Microsoft has discarded JET Database Engine and adopted newer technologies. Even though, the JET is still contained in Windows for legacy purpose.
In the zero-day bug incident, Microsoft has been criticized by the information security experts mainly because it’s slow response to patch the vulnerability; and more importantly, Microsoft’s patch is not enough to prevent remote control over the system of Windows users.
Thus, Microsoft must work harder to resolve this crisis.