In January 2019, Mimecast Research Labs discovered and disclosed CVE-2019-0560, a Microsoft Office product vulnerability. Recently the lab discovered and disclosed a startlingly similar new vulnerability called MDB Leaker that required a patch (CVE-2019-1463) in Microsoft’s Access database application.
If this vulnerability is left unpatched, it could leave 85,000 companies, nearly 60% of which are in the US, exposed to a leak of sensitive data. How are these two vulnerabilities similar? Because of how a common coding mistake, in this case the improper management of system memory by an application, can lead to the unintended disclosure of sensitive or private information.
False positives can be good
While false negatives such as missing malicious files or emails should always be minimised, counterintuitively, not all false positives are inherently bad. For instance, with MDB Leaker, as with the January 2019 Microsoft Office vulnerability, the report of a potential false positive proved to be critical to this discovery. Here’s how.
After receiving a false positive report for a particular Microsoft Access file flagged through static file analysis, Mimecast researchers swung into action and determined that there were code fragments in what should clearly be a data-only file type, a Microsoft Access MDB file. From there, the team suspected improperly-managed system memory in the Microsoft Access application, and they were able to reverse-engineer Microsoft Access and quickly reproduce the problem and track it back through multiple older versions of Microsoft Access.
What is the Security Vulnerability?
MDB Leaker is nearly identical to the broader Office memory leak discovered early in 2019, which causes the content of uninitiated memory elements to be saved into every file, at least since Access 2002, that is saved with an unpatched version of Access. While in many cases, due to the randomness of memory content at play here, the data unintentionally saved into the file will often be valueless content fragments. However, this will certainly not always be true.
In some cases, the unintended data saved into the MDB file could be sensitive information such as passwords, certificates, web requests, and domain/user information. There is no way of knowing without looking! In other words, think about how a memory leak can be a security vulnerability: fundamentally, it isn’t the actual vulnerability, but it’s what the memory leak can lead to that is the actual problem.
Consider another example from researchers. If a malicious actor was able to get on a machine which contained MDB files or could get ahold of large drops of MDB files, they could conduct an automated “dumpster diving” hunt through all of them to look for and collect sensitive information residing in these files that could be applied in any number of malicious uses.
Fortunately, to date, Mimecast researchers have not seen an exploit of this vulnerability in the wild, but it is easy to presume that it will soon be added to the repertoire of malicious actors in short order. To avoid this, follow security best practices, and patch Access database executables.
How to Defend Your Organisation
- Regularly update your systems and applications for security vulnerabilities as they are patched by the vendor.
- Once patched, consider opening and resaving existing Microsoft Access MDB files to eliminate any unwanted content that may be resident in them.
- Use an email security system with sophisticated malware detection capabilities which includes both static file analysis as well as sandboxing to filter malicious files from entering the organisation as well as sensitive content from leaving.
- Monitor network traffic for connections to likely command-and-control services and for the exfiltration of potentially sensitive files.
- Continuously update endpoint security system to increase the likelihood of detecting malicious software running on these hosts.
By Matthew Gardiner, Director of Enterprise Security Campaigns, Mimecast.