Forgot your password?
typodupeerror
Security

+ - Critical .mdb flaw Found - Microsoft may Never fix-> 4

Submitted by
SkiifGeek
SkiifGeek writes "When independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft are not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications.

Where should vendors be required to draw the line when supporting deprecated file formats and technology? In this case, leaving a serious vulnerability active in a deprecated technology could have serious effects if an exploit were to target it, but it is a matter of finding the right balance of security and usability such that Microsoft's users are not exposed to too great a danger for continuing to use Microsoft products."

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Critical .mdb flaw Found - Microsoft may Never fix

Comments Filter:
  • This sounds like a non-issue: according to the description, you must already have a malicious Access .mdb file being accessed, and it's not normal practice to allow random upload of .mdb files to a server. You'd have to install the malicious database yourself, then the attack could happen.

    The malicious Access .mdb could also have malicious VBA code, or a query that wipes out data, or you could simply load a malicious executable, which would be a lot simpler.
    • I had to work in an environment where receiving MDB files from outside sources happened regularly, on at least a monthly basis. Also consider the recent stories about the targeted malicious e-mail attacks on high level company executives. Unless MDB files are blocked at the SMTP gateway, this is another format that could be used in that form of attack.

      IMHO, unless Microsoft is dropping support for Access 2003 and earlier applications and files, they should be providing fixes for known security vulnerabili
  • To me, using Access is the problem and even MS knows it. With new tools like SQL Server Express, I'd imagine that MS could care less about keeping Access alive and providing patches for it. Everytime I go to a new client, trying to ween them off Access is a nightmare. I've seen businesses that have an excess of 12,000 Access DB's onsite....that's 12,000 Access DB's just waiting to go corrupt, get to large, or just plain stop working.

When all else fails, read the instructions.

Working...