Cyber criminals are actively exploiting a flaw in the Microsoft Office Access database in order to install malware on computers, according to a warning issued by the United States Computer Emergency Readiness Team.
U.S. CERT issued a brief warning on its Web site Monday stating that the organization was "aware of active exploitation using malicious Microsoft Access databases." The U.S. CERT is the operational arm of the National Cyber Security Division at the Department of Homeland Security, and oversees defense against and response to cyber attacks.
An exploit of the vulnerability could occur when an attacker sends an infected Access Database file, or.mdb file, as an attachment in an e-mail message that contains a virus or Trojan horse program. By opening the maliciously designed file, users could enable the execution of arbitrary code without any additional interaction. The malicious code could then be used to infiltrate a user's computer in order to alter or delete information stored on the machine. The files could also be used to send stored information to another computer.
Ben Greenbaum, senior research manager of Symantec Security Response, said that the vulnerability could be a stack overflow in the Microsoft Jet Database engine, which handles .mdb files. "It could lead to an attacker executing a code of choice on the user's system," said Greenbaum.
U.S. CERT did not include specifics on the exploit in its warning and officials did not immediately respond to calls from CRN.
Microsoft confirmed that the company was aware of reports of the problem, but did not specify if a patch was needed or scheduled. A spokesperson added that "The file type, .mdb, is an unsafe file. Various Microsoft applications prevent users from opening this type of file, or warns them before they open the file."
A note on Microsoft's Web site warned that .mdb files allow for "embedded script operations" and are "designed for the sole purpose of executing commands."
"The ability to perform script actions in applications can be a very powerful productivity tool that gives customers great flexibility in how they apply Microsoft products to solve real world problems. However, these same technologies can be leveraged by a malicious attacker to damage a user's computer," the note stated.
Security experts say that most companies have systems in place that prevent employees from either sending or receiving .mdb files. Greenbaum said that an attacker would have to be aware that a company openly used and shared .mdb files in order for an attack to be successful.
"Microsoft recommends not allowing [.mdb files] into corporate networks from the outside," said Greenbaum. "While U.S. CERT issued a warning, it would be near impossible for that exploit to be widespread."
Security personnel echo Microsoft's warnings against opening these types of files if they are received from an unknown or unsolicited sender, and to block high-risk file attachments at e-mail gateways. "Additionally, even if the company has decided to allow .mdb files, it's best to verify with the sender that in fact they sent it intentionally," said Greenbaum.