The Fine Line Between Security and Usability 195
SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."
do users care? (Score:4, Informative)
Because it's not mainstream (Score:2, Informative)
voting (Score:5, Informative)
Umm, isn't that the format used in the most popular voting machines to store all our votes?
Not a big deal... (Score:5, Informative)
Re:Exactly the situation that Open Source wins (Score:1, Informative)
Hint: Just because he haven't fixed any bugs, or even found any, doesn't mean he can't pay someone to do it for him.
Hint: You try that with $PROPRIETARY_VENDOR
Hint: You're an idiot.
Re:why do people (Score:5, Informative)
I've scaled FMP out quite nicely, actually. I think the problem you're more likely running into is one where poor database design and implementation does not scale, regardless of the engine used. Since you mentioned school systems, here's some examples of particular design and implementation mistakes I've run into in that environment.
Of course, there are an awful lot of inexperienced db admins out there, who have only worked with scaling one or two kinds of db engines, and thus lack the history of "scaling" back when 30Hz and 64Mb of RAM was the maximum per desktop (and thus lack the tao of partitioning zen), or are used to using their "clustering tools" (and thus lack the tao of systems connections zen), or any other number of failings which prevent them from understanding how to actually scale something really big.
If you're applying for a job as a DBA (or are the chief teacher/DBA for a school system), and you don't understand how DNS scales, well.... there ya go.
Re:MS Exchange (Score:3, Informative)
Exchange uses a database technology known as ESE that was at a time known internally as 'Jet Blue'. Although its got the word Jet in it, it is not the same as the 'Jet' engine that Access uses.
Read more [wikipedia.org] at Wikipedia. Particular note the difference between ESE and Jet Red [wikipedia.org].
Re:This doesnt matter (Score:3, Informative)
It used something that originated as DAE, and whose team and query engine was merged for a brief period with Jet Red (what Access uses).
But the ESE (sometimes called Jet Blue, even though it has almost nothing to do with the Jet that Access uses) used by Exchange and Active Directory is not that Jet you're talking about.
2 minutes of search on wikipedia for 'jet blue' or ese will clear this all up for you. In particular, read the History section and the 'comparison to Jet Red'.
.mdb is already a code-execution file format. (Score:1, Informative)
Microsoft won't patch this because the Jet format already allows for column type definitions that execute callbacks to calculate the value.
http://msdn2.microsoft.com/en-us/library/ms684489.aspx [microsoft.com]
If you can trick someone into opening a malicious