Microsoft swatted a bug in its Jet Database Engine that attackers were exploiting.
Microsoft officials confirmed in March that attackers were using a flaw affecting the Jet 4.0 Database Engine to target Windows users. The company described the attacks at the time as “very limited.” Still, the patch for Jet DB will have the widest impact because it affects Windows XP, Windows 2000 and Windows 2003, said Don Leatham, director of solutions and strategy at Lumension Security.
“When prioritizing this month’s patches, this will probably get the most attention because of the number of organizations running these systems and programs,” Leatham said in a statement.
According to Microsoft, successful exploitation of the vulnerability could lead to a complete takeover of an affected system.
The fix was included in one of four security bulletins the company issued as part of its May Patch Tuesday update. Three of the bulletins, including the one for the Jet Database Engine flaw, were rated “critical.”
One of the other critical bulletins addresses vulnerabilities in Microsoft Word, while the other plugs a security hole in Microsoft Publisher. As with the Jet Database Engine flaw, all of the vulnerabilities can be exploited remotely by attackers to seize control of an unpatched system.
The final security bulletin is rated “moderate” and addresses two vulnerabilities in the Microsoft Malware Protection Engine. The Malware Protection Engine is contained in a number of programs, including Windows Live OneCare and Microsoft Forefront Client Security.
Although the bulletin is rated moderate, Leatham urged organizations to pay close attention if they rely on any of the products as part of their overall security strategy.
“Whenever security tools themselves are affected-even if they have been given moderate status-we encourage customers to treat them with increased importance,” Leatham said.
In April’s Patch Tuesday, Microsoft issued fixes for five “critical” and three “important” vulnerabilities.