The existence of a zero-day vulnerability (ZDI-18-1075) in Microsoft’s Joint Engine Technology (JET) database has been identified by security researchers at Trend Micro. Used primarily by Microsoft Access and Visual Basic as their back-end database, Microsoft’s JET may be installed by default or for operational purposes in the machines running within your facilities utilising Industrial Control Systems (ICS). This opens up the possibilities for attack in a huge range of critical infrastructures.
A malicious file stored in the JET file format has the ability to exploit this vulnerability to attack the computer running the Microsoft Access or Visual Basic program. The Researchers have demonstrated the effectiveness of the exploit on Windows 7, believing all versions of Windows to be vulnerable. Ethically reported to and acknowledged by Microsoft in May, they failed to provide a solution within 120 days. The researchers then publicly disclosed the issue and released a proof of concept exploit code.
The JET Zero-Day: How Does It Work?
The JET zero-day vulnerability is an example of an out-of-bounds memory write vulnerability. This is a well-known type of programming flaw, in which a program allocates a certain amount of memory space for storing data, but then is able to store memory outside of this range. In the case of the JET vulnerability, a malicious file stored in the JET file format and opened using Microsoft Access can exploit this vulnerability to modify the memory of the Microsoft Office process.
This ability to modify the memory of the Microsoft Access process is very dangerous. The areas where the out-of-bounds vulnerability allows the program to write, includes the places where the code of the Microsoft Access process is stored while it is running. This enables the malicious file to write code into this memory and then execute it, giving the attacker the same level of privilege on the system as the Microsoft Access program itself. Running the program as Administrator may mean that the attacker now has complete control over the affected computer - not an ideal situation.
How Can This Impact My Industrial Control Systems?
Industrial Control Systems are not more or less vulnerable to this type of attack than any other Windows user. Windows computers are used extensively in critical infrastructure and, if induced to open a specially crafted malicious JET file, can be affected by the attack. Although due to the low frequency of system patching in an industrial environment to avoid downtime and stoppages in production; the fact is that critical systems are unlikely to have non-critical patches applied.
The main threat to critical infrastructure from exploitation, is the attacker’s new-found ability to execute code on an affected system. Most critical systems in the ICS area are unlikely to be opening files, especially using Microsoft Access. However, these systems are likely to be connected to user workstations, which may be more vulnerable to attack. If one of these workstations is infected, it could potentially give an attacker the possibility to bypass a network’s boundary protections and provide them with a foothold on the protected network. This can be used as a pivoting point for attacks against other systems within the network, which may rely on the perimeter defences for protection and could potentially not be up-to-date on patches.
Safeguarding Your ICS From This Vulnerability
While Microsoft is aware of the JET zero-day vulnerability (and has been for over four months), an official patch has not yet been released for the issue. Until then, all Windows systems operating with Microsoft Access or Visual Basic installed are potential targets.
The fact that Microsoft Access can only be exploited via a malicious database file, means that it is most likely to be used as part of a phishing campaign (user interaction required). If an attacker can convince a user to open a JET database file attached to an email, via instant messaging or via USB stick, they have the opportunity to take control of the user’s computer. As basic security in an operations environment, systems should not be accessible to messaging and email regardless. The simplest way to protect against this type of attack is user training. Warn users to watch out for attached Microsoft Access database files and relay why it is critical not to open files from unexpected or unknown sources. Your team should be able to recognise the relevant file extensions (.mdb) and also the file extension hiding capability in Windows, as if this is enabled, allows an attacker to rename files such as Batch.docx.mdb, and have it appear as Batch.docx in Windows Explorer. Users should be especially cautious when opening Office files and pay attention to the program associated with opening them (Access), as opposed to the one that they expect (Word).
Another means of protecting against this attack is by introducing system hardening techniques. Reduce vulnerability surfaces by minimising the functions and connections of a system down to bare essentials only. If Microsoft Access and Visual Basic are not necessary for a user’s job role, uninstalling these programs from their system removes the possibility that a malicious file could be accidentally opened, and exploitation taking place. Especially for critical systems, disabling or removing unnecessary software is considered a security best practice since it reduces the potential vulnerable attack surface of the system.
Vital Takeaways for the JET Zero-Day Vulnerability
Since the JET zero-day vulnerability is an out-of-bounds write vulnerability that allows code to be executed, it can have a major impact on an affected ICS. Coming with it is the potential to affect the safety of facility employees, the reputation of the company and incur huge financial losses. However, the fact that this attack requires user interaction and involves file types that are not commonly used, makes it less likely that a user will be exploited by accident in the course of their daily duties. The major threat that this vulnerability poses to ICS/SCADA systems is the possibility that an end-user engineering workstation can be infected, allowing an attacker to establish a beachhead from which they can attack critical systems within the protected network.
To learn more about fortifying the security of your critical ICS/SCADA assets, it is recommended to conduct a Risk and Vulnerability Assessment to identify possible weaknesses and establish a strong foundation of security best practices, tailored to protect critical facilities within your organisation. Your employees are the hands behind system operations, so be sure to bring the knowledge to your workforce. Implement thought-provoking awareness campaigns and Cyber Security Awareness Training to reinforce employee understanding of the potential risks and the consequences simple actions can bring.