CVE-2020-0953: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0953) was discovered in the Windows Jet Database Engine, disclosed on April 14, 2020. The vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. This vulnerability affects multiple versions of Microsoft Windows including Windows 10, Windows Server 2016, and Windows Server 2019 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the JET database engine where crafted data in a CSV file can trigger a write past the end of an allocated buffer, leading to an out-of-bounds write condition (ZDI, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process, potentially leading to full system compromise. The vulnerability requires user interaction, as the target must visit a malicious page or open a malicious file (ZDI).

Microsoft has released security updates to address this vulnerability. Multiple KB updates are available for affected systems including KB4550929 for Windows 10 version 1607, KB4549951 for Windows 10 versions 1903 and 1909, and KB4549949 for Windows 10 version 1809 and Windows Server 2019 (Rapid7).