Overview
The Microsoft Jet Database Engine (Jet) provides data access functionality to a number of other Microsoft and many third party applications. A buffer overflow vulnerability exists in the Jet Database Engine that could allow a remote attacker to execute code of their choosing on an affected system.
Description
A buffer overflow error exists in the way that a database request is processed by the Microsoft Jet Database Engine. This error results in a vulnerability that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. |
Impact
A remote attacker can execute arbitrary code of their choosing with the same privileges as the user context of the application using the Jet Database Engine. The attacker may be able to leverage these privileges to take complete control of an affected system. Microsoft lists secondary impacts including, but not limited to, installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
Solution
Apply a patch from the vendor Microsoft, Inc. has published Microsoft Security Bulletin MS04-014 in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Microsoft Security for reporting this vulnerability. Microsoft, in turn, credits Matt Thompson of Aberdeen IT for reporting this vulnerability to them.
This document was written by Chad R Dougherty based on information provided in Microsoft Security Bulletin MS04-014.
Other Information
| CVE IDs: | CVE-2004-0197 |
| Severity Metric: | 12.83 |
| Date Public: | 2004-04-13 |
| Date First Published: | 2004-04-13 |
| Date Last Updated: | 2004-04-14 19:56 UTC |
| Document Revision: | 20 |