Online criminals are exploiting a flaw in the Microsoft Office Access database to install unauthorized software on computers, the United States Computer Emergency Readiness Team (US-CERT) warned Monday. In its brief warning, US-CERT offered few details on the attack, saying simply that the organization is "aware of active exploitation" of the problem by criminals who have sent specially crafted Microsoft Access Database (.mdb) files to victims.
These files are "designed for the sole purpose of executing commands," so they should not be accepted from untrusted sources, Microsoft said in a note on its Web site. Run by the U.S. Department of Defense, US-CERT is charged with coordinating the nation's response to cyberattacks. Companies typically block the use of .mdb files, but criminals could be using this attack in a targeted strike against an organization that is known to use this particular file-type, said Ben Greenbaum, senior manager for Symantec security response. Symantec itself has seen no evidence of the .mdb exploitation that prompted the US-CERT alert.