CVE-2020-0959: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0959) was discovered in the Windows Jet Database Engine, disclosed on April 14, 2020. The vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. This vulnerability affects multiple versions of Microsoft Windows, including Windows 10, Windows 7 SP1, and Windows 8.1 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability specifically involves an out-of-bounds write condition in the JET database engine, where crafted data in a database file can trigger a write past the end of an allocated buffer (ZDI).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, where the target must visit a malicious page or open a malicious file to trigger the exploit (ZDI).

Microsoft has released security updates to address this vulnerability. Multiple patches have been issued for different versions of Windows, including KB4550930 for Windows 10 version 1507, KB4550929 for version 1607, KB4550927 for version 1709, KB4550922 for version 1803, KB4549949 for version 1809, and KB4549951 for versions 1903 and 1909 (Rapid7).