Forgot your password?
typodupeerror
Security IT

The Fine Line Between Security and Usability 195

Posted by ScuttleMonkey
from the discarding-old-tech dept.
SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."
This discussion has been archived. No new comments can be posted.

The Fine Line Between Security and Usability

Comments Filter:
  • In my opinion (Score:4, Insightful)

    by moogied (1175879) on Monday November 19, 2007 @07:27PM (#21414205)
    Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does. That is where the line is drawn. Exactly where it becomes unprofitable.
    • by actiondan (445169) on Monday November 19, 2007 @07:33PM (#21414279)
      Microsoft is a company, there goal is profit. ... not making linux geeks smile

      Explain Vista then.
    • Re: (Score:3, Insightful)

      by timeOday (582209)
      Where else should the line be drawn? Unfortunately there is no line nicely "between" usability and security, because the two are in direct conflict. Computers would be so much easier to use in every way if we didn't have to worry about abuse - it's a huge part of the configuration burden that plagues computers today. That's the world we live in. The line has to be drawn somewhere, but "absolute security" isn't it (and neither is "absolute convenience").

      Whether Microsoft draws it at the right place is

    • Re:In my opinion (Score:5, Insightful)

      by jmv (93421) on Monday November 19, 2007 @07:56PM (#21414531) Homepage
      That's what really bothers me about the libertarian-neocon view on corporations. You have at the same time:

      1) Companies are only there to make a profit and don't have to care about things like environment, security, ...

      2) Regulation is evil, let the companies do whatever they like and the market will sort it out.

      Logical conclusion from 1) and 2) is that we're pretty much screwed and back to some kind of feudalism. And no, most people do not vote with their wallets and the Market will not sort it out magically (otherwise, CO2 emissions would already be on the way down and there wouldn't be all these environmental problems).
      • Who the hell is a "libertarian-neocon"? Nice job knocking down that straw man.
        • by jmv (93421)
          It's not *a* libertarian-neocon, but what I'm saying applies to both (admittedly very different) groups.
          • Ah, okay, you should've used a slash then.

            And, anyway, actually the logical conclusion from 1) and 2) is that we should incentivize externalities via such measures as tradable pollution credits, thus making them directly bear on companies' bottom lines and encouraging a market-based solution, instead of imposing regulations by fiat.

            • by jmv (93421)
              we should incentivize externalities via such measures as tradable pollution credits, thus making them directly bear on companies' bottom lines

              Isn't that considered ligislating and taxing (two things which neocons and libertabians are opposed to)?

              Don't get me wrong. I do agree that ultimately companies should pay the real (environmental, social, ...) cost of whatever they do. Then dumping waste would no longer attract a small fine for creating pollution, but rather prosecution for "stealing from the environm
      • What environmental problems are you talking about? Twenty years ago, several species of fish that were native to rivers near me, that had not been seen in them in the at least 30 years were once again found in the rivers. The populations of those fish have steadily risen since then. The polar bear population is larger than it has been in two or three human generations. The air in the cities near me are cleaner than they were a century ago. 40 years ago if you had talked about CO2 as pollution, environmental
        • by jmv (93421)
          The fact that CO2 is our biggest pollution worry, means that we have made huge strides at addressing pollution and other environmental problems.

          No, it means we've ignored the problem (partially because less was known about it) for a long time and now there's no other choice but to face it. All the environmental issues you've mentioned are mostly on a local scale (less particle-based pollution in a city == cleaner air) and obvious. They are easier to deal with partly because a local change can make a differe
          • Actually, the best evidence is that it would be a more efficient expenditure of money (that is less cost for bigger impact) to develop programs to deal with the negative effects of global warming than it would to reduce the amount of temperature change by reducing CO2 emissions.
            Oh yeah, I should be as worried about CO2 in the air as about heavy metals in the water supply.
    • Why shouldn't those goals be reflected by our corporate overlords?
    • Re:In my opinion (Score:5, Insightful)

      by mrbluze (1034940) on Monday November 19, 2007 @08:07PM (#21414631) Journal

      Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile.

      As correct as you are, there does not need to be a fine line between usability and security. There needs to be (and of course there will be) an ongoing evolution in software design to offer usability without compromising security. I reckon it won't be a long time before any software program that gets run in userspace (or any space) has to go out on bended knee requesting to do anything - forced to abide by a security policy by default which limits its access. I don't mean the old broad-brush users/groups/device permissions etc. model that is everywhere now, but stuff like "only allowed to read from this folder, only allowed to talk to this or that application, etc." with very low level behaviour controls.

      I don't think this needs to result in a "the mouse pointer wants to move, confirm/deny" scenario, but that the software designers need to submit with their product a security policy within which their applicaton has to function. The user should be able to very easily browse this policy and see what the program expects to be able to do, and override things, such as "access the internet using HTTPS at port 3232 to server www.phonehome.net" or sloppy things like "read contents of /etc recursively" instead of "read contents of /etc/mostlyharmlesswidget/config".

      I know things like this already exist and there is a limited implementation of it, but to me that just confirms the point that it is the obvious next step.

      • by TheLink (130905)
        I hope it continues becoming more and more obvious, getting tired of proposing it to people who don't find it obvious :)

        e.g.
        https://bugs.launchpad.net/ubuntu/+bug/156693
    • Re:In my opinion (Score:5, Insightful)

      by fm6 (162816) on Monday November 19, 2007 @08:08PM (#21414635) Homepage Journal

      Microsoft is a company, there goal is profit.
      So what? You think there's no connection between security and profit? Next you'll be telling me that Ford's goal is profit, not reliable cars. Of course, nowadays they have neither...

      This whole discussion is based on a faulty premise, that MS is leaving its Access users without a fix. They have a fix, and they've had it for some time: stop using MDB format and convert your databases to a data engine that isn't a POS. They've deprecated MDB and Jet Engine. That means they're telling their customers "Don't use that stuff any more, it's faulty." The fact that they continue to support customers who ignore the deprecation doesn't change that.

      There is the little detail that Access itself is a POS. But that's designed in — not much they can do about that.
      • by CastrTroy (595695)
        And if people had written their applications with proper database abstraction layers, moving from one database to another wouldn't be all that difficult. The fact is that a lot of programmers did a really bad job when they designed their applications, and now they want MS to fix some ancient technology, just so they never have to upgrade their systems.
      • by Tom (822)

        Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does.

        That is correct, but that doesn't make it right.

        Jimmy is a paedophile, his goal is fucking six-year old girls. Not health, not being socially responsible, not making the priest happy. He wants sex. As every paedophile does.

        Same simple truth, still doesn't make it ok, acceptable or justified.

  • by damn_registrars (1103043) <damn.registrars@gmail.com> on Monday November 19, 2007 @07:29PM (#21414239) Homepage Journal
    Mordac, the preventer of information services, makes a statement on security versus usability:

    http://dilbert.com/comics/dilbert/archive/dilbert-20071116.html [dilbert.com]
    • by mcrbids (148650)
      Funny - as CTO of my company, I sent a link to this just the other day to all staff in our company.

      Yes, we take security seriously. And yes, we have fun doing it!
  • by rickb928 (945187) on Monday November 19, 2007 @07:34PM (#21414281) Homepage Journal
    ... that Microsoft doesn't want to fix Jet.

    They'd rather you re-wrote your app and used MSDE, or something with .NET in it.

    Not a lot of money in supporting the db engine they give away.

    And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?

    A pox on them all. I hope we re-write our app in mySQL.

    • Re: (Score:3, Funny)

      I hope we re-write our app in mySQL
      Thems're fightin' words around here...
      • by argent (18001)
        You prefer PostgreSQL?
        • I'm MySQL through and through, but honestly, the worst flame wars I've ever seen on the site were mysql vs. postgres. I would say pirates vs. the "thou shalt be honest, even unto the music industry" folks, but there aren't too many of the latter around here...
          • by argent (18001)
            I'm MySQL through and through, but honestly, the worst flame wars I've ever seen on the site were mysql vs. postgres.

            Ah, youngsters these days, how soon they forget the dark times, the great OS wars, when geeks everywhere stood up for their right to use their OS of choice. Now all that is left is UNIX, and UNIX wannabes... even Windows bears the mark of the Beastie these days.
    • by zentigger (203922)
      A pox on them all. I hope we re-write our app in mySQL.

      If more people share this attitude it will become "profitable" for Microsoft to fix this.

      If not, well, you will have a secure app anyway, and MS can bugger off and die in a gutter somewhere, and all the dumb bastards that decided to rely on a free piece of software from a company with a horrible reputation for customer support and secure coding practices get what they deserve!
      • by berzerke (319205) on Monday November 19, 2007 @08:43PM (#21414931) Homepage

        ...all the dumb bastards that decided to rely on a free piece of software from a company with a horrible reputation for customer support and secure coding practices get what they deserve!

        Except with the Internet and massive databases floating around, we are all interconnected. Jet DBs may not be massive, but that doesn't mean the company doesn't have access to other real databases. OK, so the stupid company gets owned. Now, if they have any info on me, that's in the criminal's hands, and good luck getting compensation even if the company admitted full responsibility. Their Internet connection can now be used to spam or DOS me. If they go out of business, think about all the employees who had nothing to do with the IT decisions (and those who opposed this particular one). They get to stand in the unemployment line. Vendors might get shafted on unpaid invoices.

        Just because your system is secure doesn't mean you don't get affected by someone else's insecure system. And no, I don't know what the solution to that problem is.

    • keep using access? It is so dinky as a relational database... I'm not honestly sure what it *is* supposed to be used for.
      • by mfnickster (182520) on Monday November 19, 2007 @08:10PM (#21414647)
        > why do people keep using access? It is so dinky as a relational database... I'm not honestly sure what it *is* supposed to be used for.

        Microsoft Access is a demo. It's meant to seduce you into thinking that developing your own database applications is easy and fun, and that Access can address your organizational needs adequately. This puts you onto the path that will eventually lead to you buying MS SQL Server.

        At least, that's been my experience! :)
        • by argent (18001) <peterNO@SPAMslashdot.2006.taronga.com> on Monday November 19, 2007 @08:39PM (#21414887) Homepage Journal
          "Access is the path to the dark side, for Access leads to SQL Server, and SQL Server leads to suffering."
          • Re: (Score:2, Insightful)

            by Anonymous Coward
            "Access is the path to the dark side, for Access leads to SQL Server, and SQL Server leads to suffering."

            Yes, you're funny, but SQL Server is a solid, well-done database. In terms of quality of product, I think it's the best thing that MS sells.
            • Re: (Score:3, Insightful)

              by argent (18001)
              SQL Server is [...] the best thing that MS sells.

              Damning with faint praise.
        • This puts you onto the path that will eventually lead to you buying MS SQL

          Nah. Most people only used/use Access for smaller stuff. They came out with SQL server lite a while back. Free of charge and embeddable into .net apps (much like cloudscape is for java apps).
        • Re: (Score:3, Interesting)

          by domatic (1128127)
          Well, that actually is my problem with FileMaker Pro. It too seduces you into thinking that developing database apps are easy and fun. The difference is that when an FM Pro app starts flaking out (public school systems are just eaten up with FM Pro deployments that got too big for their britches) there isn't a "big brother" product to easily transition to that scales.

          Yeah it's true that Access is a gateway drug to SQL Server. But that IS a viable upgrade path for that little workgroup app that some PHP d
          • Re:why do people (Score:5, Informative)

            by ronabop (520121) on Tuesday November 20, 2007 @12:37AM (#21416699)
            The difference is that when an FM Pro app starts flaking out (public school systems are just eaten up with FM Pro deployments that got too big for their britches) there isn't a "big brother" product to easily transition to that scales.

            I've scaled FMP out quite nicely, actually. I think the problem you're more likely running into is one where poor database design and implementation does not scale, regardless of the engine used. Since you mentioned school systems, here's some examples of particular design and implementation mistakes I've run into in that environment.
            • Keeping all student records in one table, in perpetuity, so the engine has to slog through records from 10 years ago to find today's current students.
            • Keeping all records, for all tasks, on one DB machine, in one set of tables, rather than using separate machines (why should the student attendance records *always* be on the same machine as the cafeteria menu, the janitorial schedule, the PTA newsletter, and the 2001 teacher vacation sign-up sheet?)
            • The BigTable. Everybody who's worked in cleaning up poor DB design knows this one, the freaking huge table that stores *everything*. As text fields, of course. With no relational links.
            These simple design gotchas can be made with *any* db engine, and are often made by inexperienced designers. Easy and fun is setting up the basics, and when it gets slow, paying some geek (or finding a young volunteer who needs to pad their resume) to re-engineer the system.

            Of course, there are an awful lot of inexperienced db admins out there, who have only worked with scaling one or two kinds of db engines, and thus lack the history of "scaling" back when 30Hz and 64Mb of RAM was the maximum per desktop (and thus lack the tao of partitioning zen), or are used to using their "clustering tools" (and thus lack the tao of systems connections zen), or any other number of failings which prevent them from understanding how to actually scale something really big.

            If you're applying for a job as a DBA (or are the chief teacher/DBA for a school system), and you don't understand how DNS scales, well.... there ya go. ;)
            • Keeping all student records in one table, in perpetuity, so the engine has to slog through records from 10 years ago to find today's current students.

              I've not used FileMaker Pro, but this just sounds wrong. First, searching through a DB table should be a O(1) problem. If it's O(n) then you have some serious problems with your RDBMS. Unless what you are really saying is that your indexes no longer fit into memory so you need to start swapping.

              Secondly, you seem to be advocating splitting records between two tables. It seems like the correct solution to this problem is to instruct the RDBMS to partition the table. Splitting it into two tables breaks

        • Re: (Score:3, Insightful)

          by Mr2001 (90979)

          This puts you onto the path that will eventually lead to you buying MS SQL Server.
          Or installing SQL Server Express for free?
      • Re:why do people (Score:5, Insightful)

        by kelnos (564113) <bjt23@coGIRAFFErnell.edu minus herbivore> on Monday November 19, 2007 @08:12PM (#21414675) Homepage
        Unfortunately, with Access, it's not about the database itself, but about the GUI tools that many people find easy to use...
      • Re:why do people (Score:5, Insightful)

        by TheRaven64 (641858) on Monday November 19, 2007 @09:07PM (#21415145) Journal
        Access is not a database, it's a RAD tool for data-drive apps. You use Access when you want to quickly create a GUI for processing data (well, now you'd probably write a web app, but in the '90s it was the thing to use). Once you've done this, you progressively add features to your simple tool. Eventually, you have something that sprawls over thousands of lines of unmaintainable code, depends on Access, and is vital to your company.
        • Re: (Score:3, Funny)

          by SCHecklerX (229973)
          I thought it was just a way of keeping a bunch of copies of the same spreadsheet in one file. Not sure why they call them tables instead of spreadsheets though :)
        • by NullProg (70833)
          Minor correction..

          Access is not a database, it's a RAD tool for data-drive apps.
          IIRC, Its an single user ISAM database with a separate index. Microsoft tacked on (wrapped) C++/C/VB5/VB6 tools to make it RAD. FoxPro was better (X-Base) at the time IMHO. At the same time I used the Mix C-DATA ISAM database because it worked under OS/2, Unix, DOS, and windows (Truly cross-platform).

          Enjoy,
        • Re: (Score:3, Insightful)

          depends on a particular version of Access

          There, fixed that for ya....

    • Re: (Score:3, Insightful)

      by argent (18001)
      I hope we re-write our app in mySQL.

      If Jet was adequate, you may be better off using SQLite.
      • Re: (Score:3, Insightful)

        by TheRaven64 (641858)
        MOD PARENT UP. I'm not sure which Microsoft product I'd recommend replacing with MySQL. Actually, I'm not sure what use I'd consider for MySQL.

        If JET is adequate for your needs, SQLite is likely to be much better. If you are using SQL Server then you would be better off considering PostgreSQL as a migration path than MySQL.

    • Re: (Score:3, Interesting)

      by einhverfr (238914)
      I don't know. It seems to me that whoever did the triage screwed up. This is not unusual. I remember working at Microsoft and running into issues getting a number of issues fixed. However, the organizational structure of the company often makes it impossible to get problems fixed because nobody wants to act as a cost center for the security (passing the buck).

      When I worked at Microsoft, I remported what I felt was a serious security flaw. Despite the fact that the exploit I remorted resulted in one of
    • by Allador (537449)
      Theres just one small problem with your premise.

      All of the alternatives to Jet and Access are also free (at least in the same sense that Jet and MDB is free).

      SQL Server 2005 Express is free
      MSDE (SQL Server 2000 desktop) is free .NET is free .NET SDK and compilers are free
      all the drivers to interact between the two are free

      Many people choose to purchase Visual Studio (or an MSDN subscription), but its not at all necessary. There are other IDEs.
      • by rickb928 (945187)
        Currently, we do not have to install the Jet engine for our app to be installed. Yes, we use AC97 tables.

        Is SQL 2005 Express so free that you don't even have to install it?

        How about MSDE? .NET framework?

        We are riding on the coattails of Windows 2000/XP/Vista, to be sure, but the alternatives require our users to also install some DB engine,and our users are unsophisticated to the extreme. Leaving Access opens us up to the entire world of DB engines.

        We also need to encrypt data now. This limits things a b
  • do users care? (Score:4, Informative)

    by larry bagina (561269) on Monday November 19, 2007 @07:35PM (#21414303) Journal
    a few years back, I started up a software company. Although some of our stuff was open source, starving isn't a hobby, so some of it was closed. One thing we tried was (for a slight increase in price) guaranteeing to fix any critical bugs even if we no longer supported the software. If we couldn't provide a fix, the source code was in escrow so they could access it. There was zero interest in it.
    • Re:do users care? (Score:4, Insightful)

      by cdrguru (88047) on Monday November 19, 2007 @07:58PM (#21414545) Homepage
      Source code escrow was far more interesting in the late 1980s when some folks actually believed that if they paid for an application (and often a substantial fraction of its development) that they should have access to the source code if the author wasn't available. Part of this came from companies that got burned by the author abandoning their work for one reason or another. Part of it was also that it was a marketing tool - see, the source code can be gotten...

      Today that fantasy has mostly dispersed. Most companies know that if they don't develop an application internally they are at someone else's mercy. There are fewer failures of larger software publishers but even the larger ones sometimes abandon some application leaving the users in a bad spot. But having the source for a 150,000 line (or more!) application doesn't mean a company could compile it, much less fix a serious bug. In general it would take someone a long time to get familiar enough with something like this to be able to work on it with any degree of confidence. Especially a company with a mission-critical application needing a bug fixed - it would take months, often paying a consultant $150+ an hour.

      The "new" strategy seems to be:

      1. deal with larger, established companies whenever possible and hope their user base is large enough that they can just keep pushing out updates and have the product remain revenue-positive.
      2. Write off stuff that is abandoned because it is cheaper to switch to something else than try to independently resurrect something dead.
      3. Never ever do anything internally that could possibly be bought as off-the-shelf.

      Mostly, this is a lot smarter than the late 80s strategy.

    • There was zero interest in it.

      Until a potentially disasterous bug was found in a system critical piece of software. People don't always have enough vision to see the worth in something like this. Bravo for trying!

  • It's a very old technology. No new projects start with Access in its heart.
    • You haven't been outside much? Access is a part of Office 2003, a lot of people with just enough tech skills to be dangerous make their living off of writing Access dbs in critical situations.

      Not to mention MS Access files being used by some electronic voting Cos.
    • is not mainstream and not used anymore?
      • Re: (Score:3, Informative)

        by Allador (537449)
        MS Exchange doesnt use Access, and it doesnt use the same 'Jet' as what Access defaults to.

        Exchange uses a database technology known as ESE that was at a time known internally as 'Jet Blue'. Although its got the word Jet in it, it is not the same as the 'Jet' engine that Access uses.

        Read more [wikipedia.org] at Wikipedia. Particular note the difference between ESE and Jet Red [wikipedia.org].
  • voting (Score:5, Informative)

    by 99BottlesOfBeerInMyF (813746) on Monday November 19, 2007 @07:39PM (#21414349)

    Umm, isn't that the format used in the most popular voting machines to store all our votes?

    • by julesh (229690)
      Umm, isn't that the format used in the most popular voting machines to store all our votes?

      Yes. And?
  • This doesnt matter (Score:4, Insightful)

    by hcmtnbiker (925661) on Monday November 19, 2007 @07:44PM (#21414417)
    IMO this potential exploit is useless unless you're doing something with a JET database that you shouldn't be anyways. JET doesn't have database transactions, sure if you want to you can write them in at the application level but that's incredibly costly. If you're allowing people you don't trust to access a JET database something is wrong. JET will screw up if two users try to modify it at the same time, so why would someone you don't trust be using it, they could just as easily cost you enough damage by just modifying the DB while you are. SQL is used for that sort of thing, NOT JET.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Jet isn't useless. It's a fairly featureful file-based database which has somewhat decent ANSI support and decent library support via VBA functions. It also does support transactions. Your assessment of Jet is more or less correct, but it's not a failing of Jet as much as it is a failing of any file-based database which lacks a centralized server. Because the client library reads and writes directly to the database files it is possible for write operations to collide. There is no central process in cha
    • Exactly. What the hell are websites doing allowing people to upload Jet Databases to publicly accessible folders anyways? Giving out your website's master FTP username/password is a vulnerability as well, but no sane web host would do such a thing. I hope it'd be the same for the former scenario as well as this latter one.
  • by Volante3192 (953645) on Monday November 19, 2007 @07:47PM (#21414437)
    So to fire off this vulnerability, you have to run an .mdb file you found from "somewhere." Never mind these things could have embedded VB macros and other controls that could wreak havoc.

    Why not just start running installs you find from "somewhere?"

    Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?
    • Why not just start running installs you find from "somewhere?

      You would be surprised how many Windows admins (and some *NIX admins as well) will think nothing of running scripts and apps from very dubious sources on highly valuable mission critical servers. I have witnessed any number of messes caused by somebody running scripts they got from a link in some forum thread without bothering to get an idea of exactly what it was the thing did or even simply checking if the thing was compatible with the system version they were running them selves. David Hannum was right.

  • by flaming error (1041742) on Monday November 19, 2007 @07:50PM (#21414469) Journal

    some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection".
    Servers could be vulnerable to attack if they allow users to upload and run malicious code? Say it ain't so!
  • Almost all other OSS model vs proprietary model arguments are at least somewhat fuzy. Ethics and economics often seem to be in conflict. In many cases neither is tested or clear and we can't even agree on what goes in the pro and what goes in the con columns for each model individually. This case though highlights the fact very clearly that even if all software in your stack is not OSS at least the platform and common libraries should be.

    JET is a depreciated platform and is no longer being actively devel
    • by kelnos (564113)

      They would then be pretty likely to share it because there is no reason not to do so.

      Individuals, yes, probably. Organizations? Maybe, maybe not. In my experience, when someone at a company fixes a bug in 'upstream' software, they keep it to themselves[1]. It cost the company money to find and fix that bug, so they figure something like: why should we give that time (money) to our competitors for free?

      Not saying I agree or disagree with this attitude... it's just how it is.
      [1] Well, except for fixes to GPLed code.

      • The GPL doesn't make a difference if the company is not distributing the software. The reason for distributing code is that it costs more to maintain a fork and that cost increases the more it diverges. The reason for not distributing is that the fix gives you a competitive advantage. If the cost of forking is greater than the financial gain from forking then it makes sense to give the code back. Often, the people they will be helping are not their competitors, but their suppliers and customers (particu
    • by Allador (537449)

      JET is a depreciated platform and is no longer being actively developed or really supported in new projects by Microsoft. *OK* A perfectly reasonable position to take when you do have functionally replacement products being offered, which they do in the form of MSDE.
      Jet hasnt been deprecated, the MDB file format has been. Jet is still present on windows and ACCDB files are the currently supported flavor.
  • The "article" submitter is only trying to drum up hits to his blog. When it's this obvious, I don't even bother clicking through.

    Perhaps it wouldn't solve everything, but IMHO not directly linking the submitter's name to a non-slashdot URL would greatly limit the article spam on here. And, of course, not letting someone use slashdot to blatantly toot his own horn would limit the practice further.
    • by ptbarnett (159784)
      The link on the submitter's name should no longer be an issue. The URL has a "nofollow" attribute -- if a search engines honors it. However, the remaining links in the article summary do not have the no-follow attribute.
  • Not a big deal... (Score:5, Informative)

    by Vthornheart (745224) on Monday November 19, 2007 @08:24PM (#21414781)
    They're making a big deal of the following in both of the links in the article, repeating the same phrase over and over: "some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection"." They say this twice in one paragraph at one point. But what does that really mean? That means a server running ASP, that also is allowing end users to upload .mdb databases to it (???), AND to expose them from whatever location they've been uploaded to so that Connections can be made to them, will be vulnerable. That's a pretty hefty list of "ifs". If you're letting your users upload .mdb databases to your webserver at all, let alone to a publicly accessible folder, you're already asking for severe trouble. I can't imagine a website out there that would allow such uploading/public exposure to happen that doesn't already have severe security flaws merely by the amount of freedom its given its users in what they can do on the site. This is definitely a vulnerability, but the impact to ASP/ASP.NET servers is minimal if the hosts are implementing common sense security practices/user restrictions already.
  • That convenience and security are at odds is a flawed premise.

    Secure software doesn't have holes. User-friendly software is intuitive and does what it should.

    No reason the two can't happily co-exist.
    • I don't know why you haven't been moderated up. The belief that secure and user friendly are incompatible is the cause of a lot of insecure, unusable software. Security is a user interface problem [informit.com]. If you make security features that aren't user friendly, then the user will just disable them. If you make it so they can't be disabled, the user will use a different product. If you make them hard to understand, the user will use them wrongly.
  • Consumer protection rules are very clear on this. If the product is defective, its still covered under a warrantee and must be repaired or replaced at Microsoft's expense.

    It gets very interesting when the problem starts to cause other people problems under "innocent third party" laws. The only draw back is that it too nearly 30 years for these laws (and an act of congress) to take out the lawn darts so I don't think this has any of the legal team at Microsoft losing sleep.
    • by db32 (862117)
      1. Too bad by purchasing this product you agreed that it should not be used for anything important and cannot hold the company liable for it.
      2. I can't believe you are seriously upset about lawn darts.
      a. Children can still purchase all manner of dangerous toys to include paintball guns, pellet guns, and the good ol bow n arrow. b. If a 12yr old can legally operate a shotgun I fail to see how a lawn dart ban is anything other than a waste of my tax dollars. c. If you are too stupid to o
  • by RipSlider (923376) on Monday November 19, 2007 @08:42PM (#21414927)
    No matter what is written above, it's not just "Small business" which use Jet. I'm under an NDA(s), so won't name names, but lets say that, in the course of the last 18 months, I have worked in 1x Top 5 Bank and 2x top 10 financial services houses, in the UK, that would collapse if they loose their Access Databases within one week. ( Guess what my firm was brought in to do?) It's a similar situation to the household name that most people in the UK and US have some direct or indirect monies held in that currently has more than 700 staff in my company working 24 hours a day, 7 days a week to get all their data into a new data ware house after a rather worrying period where their main DB went down. What was the DB? It was a massively hacked about version of a CRM package that a developer got off a coverdisc ( PCPro magazine to be exact ), 6 years ago. Here's the thing: Big companies get into the same messes as small companies. If you truely believe that ALL of the top companies are using Oracle DB's, SOA architectures and data warehouses for mining purposes, your living in a dream world. Working as a solution architect that is meeting 2-3 major, as in top 250, clients a month, and looking at their issues, and the mess that they've got in to, I would be suprised if Microsoft manage to hold their "We're not going to fix it" position for long. Fact is, as soon as CIO's get stressed, they start to shout, and they'll shout at Microsoft if they feel that there is an issue. Remember that a lot of the major firms have 10 and 15 year support contracts with Microsoft, each of them bespoke. If one of them demands a fix, it will immediately be made available to all of the others on bespoke support contracts. At which point there is little reason to hold it back from the other major buyers, and so it cascades down the chain.
    • Re: (Score:3, Insightful)

      by gnuman99 (746007)
      Read at least the first paragraph before spreading more FUD. This is NOT a security problem as many pointed out here.

      "allowing for arbitrary code execution once the victim interacts with a malicious JET-dependent file (such as an Access file)."

      It is crazy. Like saying you downloaded a malicious .so file, installed it and it caused a security problem and the OS should not have allowed it. If you download malicious JET files, well, these tend to have code in them that can cause problems. DO NOT do that. So, t
  • My proposal is that, at least for security-sensitive products, closed-source software vendors must be forced by law to release their products as open-source after X years from the moment they stop properly handling user complaints. So, if you release a product used in sensitive installations and you stop supporting it after 3 years, you should be expected to open-source it as to allow the user community to maintain it.

    This should solve abandonware, which is a very serious problem in security-sensitive so

    • by corsec67 (627446)
      That should be tied to copyright as well, where after you stop selling/supporting something, it should go into public domain, not more than 15 years after you initially sell something. You could have the source in a secure escrow type service to prevent against a company going out of business.

      Copyright is already too crazy, with infinity+ years (in google speak), which needs to be stopped.
      • A better solution would be to require source code escrow for copyright. If you want copyright on your proprietary software, you have to place the code in escrow. Once you stop supporting the product, the code is released. Even if the code can only be distributed to people who already have a license for the software then this would be useful; at least they could employ third parties to make fixes and (ideally) distribute the diffs.
  • by gmuslera (3436) on Monday November 19, 2007 @11:31PM (#21416241) Homepage Journal
    Security
    ---------------------
    Microsoft

    Was that so hard?
    • Dude its not that bad.
      Win 2000 was strong on security.
      XP can be made strong, but weak on default security.
      Vista?? If you can make it run on what hardware you have, let me know
  • Microsoft is not interested in fixing a security flaw in the database they use for their Active Directory system? What, do they not care about the security of their authentication and authorization network OS database?

    Color me unsurprised, really (I don't know why they don't use SQL Server anyway, but whatever the reason, they don't yet).
  • by Xoc-S (645831) on Tuesday November 20, 2007 @01:50AM (#21417065)
    Of course modifying an mdb file causes a vulnerability. It would be stupid for it not to. As an analogy...he's saying that he can modify an executable file to execute arbitrary code. Well, duh! Since an mdb file can already have executable code in it, in the form of macros, references to ActiveX controls, and vba code, to treat it as anything but an executable is stupid. Microsoft Outlook and other email programs already treat mdb files as suspect. There are plenty of legitimate security holes around, but this isn't one of them.
  • I think the comments here regarding access as being tinker toy software are off the mark. Access has enabled scores of people to solve problems and manage data themselves.

    Sure, you can sit in your geek tower and laugh at the dolts that use Access every day to solve thousands of data management issues. A secretary can be trained to use Access to manage moderately complex data (the numbers on all the new telephones, people interviewed for specific positions and letters sent relative to those position
    • by Tony (765)
      Access *has* solved real-world problems.

      It has also caused real-world problems.

      I have seen *way* more improperly-coded applications in Access and Excel than in any other language or programming system. Why is that? Because people are designing "databases" with no fundamental understanding of data management. People code spreadsheets with no real idea of how to identify and correct bugs. They *only* advantage the user has it knowledge of the data. (Which *is* a good thing, granted.)

      Further, an access databas

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Working...