Microsoft patch for JET flaw zero-day is ‘incomplete,’ Windows still vulnerable

October 15, 2018

Despite Microsoft patching a zero-day vulnerability in its JET Database Engine, you are not fully protected. Researchers at 0patch warned that Microsoft’s official patch was “incomplete.”

The Zero Day Initiative first revealed the flaw, which could lead to remote code execution, in September after Microsoft failed to patch it within the 120-day disclosure timeline. Within 24 hours, 0patch released a micropatch, as all versions of Windows contain the JET Database Engine.

Microsoft released a fix on October’s Patch Tuesday, but 0patch said Microsoft’s fix “only limited the vulnerability instead of eliminating it. We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”

Read More on CSO Online