Canada Flag Public Safety and Emergency Preparedness Canada | Sécurité publique et Protection civile Canada
Symbol of the Government of Canada
Sauter les menus principaux  
Skip all menus (access key: 2) Skip first menu (access key: 1)
Français Contact Us Help Search Canada Site
About Us Policy Research Programs Newsroom
Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada
 
You have accessed an archived page on the Public Safety and Emergency Preparedness Canada website. This material may be outdated. Please consult our new site for up-to-date information.


Advisory Number: AV05-020
Microsoft Jet DB engine vulnerabilities
15 April 2005

Purpose
The purpose of this advisory is to bring attention a report of a vulnerability in Microsoft Jet Database Engine.

Assessment
Microsoft Jet database is a lightweight database widely used by MS Office applications. The main component of the Microsoft Jet database engine is msjet40.dll, which evaluates and carries out requests for data. The library handles reading and writing of the data for Microsoft Access databases.

Sufficient data validation is not performed when msjet40.dll parses the database file. As a result, it is possible to modify the database file to allow the execution of arbitrary code when the MS Jet database is opened.

HexView reports that the latest avaliable msjet40.dll library (version
4.00.8618.0) was found to be vulnerable. Earlier versions were not teseted, but it should be assumed that all earlier releases of the library are also vulnerable.

MS JetDB OLE Provider (msjetoledb40.dll) is not affected.

Proof of concept and exploit code is publicly available for this vulnerability.

Suggested Action
PSEPC recommends that system administors block ".mdb" database files at their gateway. No patch is available at this time from Microsoft, but it is recommended that system administrators test and install the patch when it becomes released. Additional information is available at:
http://www.hexview.com/docs/20050331-1.txt
http://secunia.com/advisories/14896


---

Note to Readers

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. To report threats or incidents, please contact the PSEPC operations coordination centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

Links to sites not under the control of the Government of Canada (GoC) are provided solely for the convenience of users. The GoC is not responsible for the accuracy, currency or the reliability of the content. The GoC does not offer any guarantee in that regard and is not responsible for the information found through these links, nor does it endorse the sites and their content.
Last Updated: 10/25/2005
Top of page
 Important Notices