The second Access memory leak has finally been patched by Microsoft, almost a year after a very similar problem was discovered. These bugs have been around since 2002 and the effects are still in some Access files.
Both are faults in the way Access saves data to memory locations in ways that hackers could exploit. Those memory chunks are usually useless but could contain private information likes names, passwords etc. Anything saved to memory could get dumped into an Access database or as Microsoft puts it “compromise of the confidentiality, integrity, or availability of a user’s data, or of the integrity or availability of processing resources.”
Back in January 2019, Microsoft patched CVE-2019-0560 an Access memory leak bug where the parts of memory are saved in documents.
Then in December 2019, it was a similar problem patched CVE-2019-0560. This time called ‘MDB leaker’.
With MDB leaker, Access saves random chunks of memory to MDB files. A hacker could scan MDB files on a computer looking for any useful info that should not be there in the first place.
The Good News
If you’ve been updating Office 365, Office 2016, Office 2013 or Office 2010 regularly there’s no ongoing problem.
Happily, there’s no reports of either exploit being used ‘in the wild’.
The Bad News
Only Office 2010 and later have been fixed. Mimecast suggest these memory leaks have been in Access since 2002 (Office XP).
Any Access files that were last saved before the security patches will have unwanted memory blocks in them. Any older MDB need to be opened and saved by a patched Office to make sure there’s no unwanted extras.
That’s not good however keep in mind that the memory objects saved in the MDB’s are random. You’d have to be very unlucky to have something exploitable stored. In other words, balance the time, trouble & cost of finding and saving old MDB files against the relatively low risk.
Both these bugs weren’t found by Microsoft, it was Mimecast who did the ‘hard yards’ in both cases.
It’s disappointing that Microsoft didn’t dig deeper after being told of the first Access memory leak bug. If they’d done that, the company should have found the similar bug and fixed it too.
Office documents had unexplained memory objects saved in them? Didn’t someone at Microsoft notice these strays in their files over 15+ years?