An exploit is said to be circulating for a previously unknown vulnerability in MS Access. According to the anti-virus software manufacturer Panda, a keylogger is already exploiting the gap to penetrate vulnerable systems. According to initial analyses by Panda, the problem is based on a bug in the access jet engine, which allows code to be injected and executed with the user's rights. For a successful attack, however, the victim must open an MDB file with a vulnerable Access version.

According to the report, there is no update. Microsoft probably has no plans to fix the bug either. In response to its inquiry, Panda was told that MDB files are generally insecure files that are blocked by Internet Explorer and Outlook. In a knowledgebase article, the Redmond company writes: "Examples (of insecure types) are file types that allow the execution of embedded script commands, such as Microsoft Access files (*.mdb) or macros in Microsoft Word files (*.doc) or in Microsoft Excel files (*.xls)."

The article continues: "Microsoft continues to receive reports of alleged vulnerabilities due to the ability of certain insecure file types to perform malicious actions. These reports are evaluated by Microsoft on a case-by-case basis. However, Microsoft does not a priori categorize a file type as vulnerable to threats simply because a person has used the file type for malicious purposes."

Although Microsoft is basically right about this, the problem at hand is not based on the execution of scripts or SQL commands, but on a vulnerability that can be used to execute code directly. In Excel and Word, for example, deactivating macros would only help to a limited extent against a vulnerability in the document parser. A similar vulnerability in Access became known in November last year and was actively exploited shortly afterwards. There is still no patch available today.

(c't)