Patch Your Microsoft Windows and Office: Fortinet Discovers Three Zero-Day Remote Code Execution Vulnerabilities

A FortiGuard Labs Breaking Threat Research Report

On the April 9, 2019 Patch Tuesday, Microsoft released patches for several vulnerabilities in Windows and Office. Three of them were discovered and reported by FortiGuard Labs researcher Honggang Ren by following Fortinet’s responsible disclosure process. The CVE numbers assigned to them are CVE-2019-0825, CVE-2019-0851 and CVE-2019-0877. Two of them are related to Microsoft Jet Database Engine. The other is related to the Microsoft Office Access Connectivity Engine, which is an Office-specific version of the Jet Database Engine. All three of these vulnerabilities could lead to remote code execution, and have been given an Important rating by Microsoft.

In this post we will provide more details on these vulnerabilities for zero-day:

Vulnerabilities

• CVE-2019-0825

CVE-2019-0825 is a remote code execution vulnerability in the Microsoft Office Access Connectivity Engine that results from its failure to properly handle objects in memory. When parsing a malformed file, an Uninitialized Read results in memory corruption that can eventually lead to a remote code execution scenario. The vulnerability exists in the function _ACfree.

User interaction is required to exploit this vulnerability, wherein the victim must open a malformed file. An attacker who successfully exploits this vulnerability could execute arbitrary code on a victim’s system in the security context of the current user.

• CVE-2019-0851

CVE-2019-0851 is a remote code execution vulnerability in the Microsoft Jet Database Engine, resulting from its failure to properly handle objects in memory. When parsing a malformed file, an Out-Of-Bounds Write results in memory corruption that can eventually lead to a remote code execution scenario. The vulnerability exists in the function _xxopen.

User interaction is required to exploit this vulnerability, wherein the victim must open a malformed file. An attacker who successfully exploits this vulnerability could execute arbitrary code on a victim’s system in the security context of the current user.

• CVE-2019-0877

CVE-2019-0877 is a remote code execution vulnerability in the Microsoft Jet Database Engine, resulting from the failure to properly handle objects in memory. When parsing a malformed file, an Uninitialized Read results in memory corruption that can eventually lead to a remote code execution scenario. The vulnerability exists in the function _exparse.

User interaction is required to exploit this vulnerability, wherein the victim must open a malformed file. An attacker who successfully exploits this vulnerability could execute arbitrary code on a victim’s system in the security context of the current user.

Solution

All users of vulnerable versions of Microsoft Windows and Office should upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions have already been protected from these vulnerabilities with the following signatures, which were released before the Microsoft patches were made available:

MS.JET.Database.Engine.Msp.Code.Execution

MS.Database.Engine.Remote.Code.Execution

View the Fortinet Threat Landscape Indices for botnets, malware, and exploits for Q4, 2018.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for the weekly FortiGuard Threat Intelligence Briefs.

Learn more about the FortiGuard Security Rating Service, which provides security audits and best practices.

Read more about our Network Security Expert program, Network Security Academy program or our FortiVets program.