The Fine Line Between Security and Usability

SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."

In my opinion

[moogied]

Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does. That is where the line is drawn. Exactly where it becomes unprofitable.

This is not news to me...

[rickb928]

... that Microsoft doesn't want to fix Jet.

They'd rather you re-wrote your app and used MSDE, or something with .NET in it.

Not a lot of money in supporting the db engine they give away.

And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?

A pox on them all. I hope we re-write our app in mySQL.

Re:In my opinion

[timeOday]

Where else should the line be drawn? Unfortunately there is no line nicely "between" usability and security, because the two are in direct conflict. Computers would be so much easier to use in every way if we didn't have to worry about abuse - it's a huge part of the configuration burden that plagues computers today. That's the world we live in. The line has to be drawn somewhere, but "absolute security" isn't it (and neither is "absolute convenience").

Whether Microsoft draws it at the right place is, of course, another question entirely.

Exactly the situation that Open Source wins

[Anonymous Coward]

This is exactly the type of situation that proves why Open Source should exist and be used by any company with a brain and the willingness to retrain or dump their Windows Administration teams.

Well supported and popular technology? Check. Original developer not interested? Oh well, grab the source and fix it. If you can't, someone else will because it's popular.

End result - a secure platform for your legacy (and current!) applications without costly redevelopment costs.

This doesnt matter

[hcmtnbiker]

IMO this potential exploit is useless unless you're doing something with a JET database that you shouldn't be anyways. JET doesn't have database transactions, sure if you want to you can write them in at the application level but that's incredibly costly. If you're allowing people you don't trust to access a JET database something is wrong. JET will screw up if two users try to modify it at the same time, so why would someone you don't trust be using it, they could just as easily cost you enough damage by just modifying the DB while you are. SQL is used for that sort of thing, NOT JET.

Patching one hole in a pegboard

[Volante3192]

So to fire off this vulnerability, you have to run an .mdb file you found from "somewhere." Never mind these things could have embedded VB macros and other controls that could wreak havoc.

Why not just start running installs you find from "somewhere?"

Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?

Security News Flash

[flaming error]

some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection".

Servers could be vulnerable to attack if they allow users to upload and run malicious code? Say it ain't so!

Re:Exactly the situation that Open Source wins

[CannonballHead]

Sounds absolutely great. I wish every business person was as smart, since open source is obviously better in every way than closed source.

End of sarcasm. Yeah, open source is pretty cool, I like it, etc. Does open source guarantee everything wonderful, does open source guarantee a business with a profit? No, it doesn't. Open source is not the answer to everything.

And even open source organizations will stop support for decrepit applications. If you insist on using a 10 year old Linux kernel and demanding that some quirky bug in it be fixed, I'm not sure how much support you'd get :)

Is that an exact analogy, no... but, as a previous poster said, businesses run on profit, not open source feel-good-ness... :)

Re:In my opinion

[jmv]

That's what really bothers me about the libertarian-neocon view on corporations. You have at the same time:

1) Companies are only there to make a profit and don't have to care about things like environment, security, ...

2) Regulation is evil, let the companies do whatever they like and the market will sort it out.

Logical conclusion from 1) and 2) is that we're pretty much screwed and back to some kind of feudalism. And no, most people do not vote with their wallets and the Market will not sort it out magically (otherwise, CO2 emissions would already be on the way down and there wouldn't be all these environmental problems).

Re:do users care?

[cdrguru]

Source code escrow was far more interesting in the late 1980s when some folks actually believed that if they paid for an application (and often a substantial fraction of its development) that they should have access to the source code if the author wasn't available. Part of this came from companies that got burned by the author abandoning their work for one reason or another. Part of it was also that it was a marketing tool - see, the source code can be gotten...

Today that fantasy has mostly dispersed. Most companies know that if they don't develop an application internally they are at someone else's mercy. There are fewer failures of larger software publishers but even the larger ones sometimes abandon some application leaving the users in a bad spot. But having the source for a 150,000 line (or more!) application doesn't mean a company could compile it, much less fix a serious bug. In general it would take someone a long time to get familiar enough with something like this to be able to work on it with any degree of confidence. Especially a company with a mission-critical application needing a bug fixed - it would take months, often paying a consultant $150+ an hour.

The "new" strategy seems to be:

1. deal with larger, established companies whenever possible and hope their user base is large enough that they can just keep pushing out updates and have the product remain revenue-positive.
2. Write off stuff that is abandoned because it is cheaper to switch to something else than try to independently resurrect something dead.
3. Never ever do anything internally that could possibly be bought as off-the-shelf.

Mostly, this is a lot smarter than the late 80s strategy.

Re:Easy

[Jeremiah Stoddard]

No; I know of no industry that works like that other than software. First, if a product is defective, I can return it and get it refunded or replaced. Beyond the warranty period, I still have the ability to alter it myself. Not so with software -- I can't return an opened package, even if the program doesn't work, and the EULA prevents me from making ANY modifications. Also, 10 years from now if it is discovered that my model of car has a "security risk", i.e. it explodes at random without warning, the manufacturer can still be held responsible. In this case, the software companies are trying to ditch any responsibility for their product, and require that the user pay them again for a newer version if they want their problem fixed. What's really stupid is your suggestion that the consumer is obligated to deal with a defective product.

Re:This doesnt matter

[Anonymous Coward]

Jet isn't useless. It's a fairly featureful file-based database which has somewhat decent ANSI support and decent library support via VBA functions. It also does support transactions. Your assessment of Jet is more or less correct, but it's not a failing of Jet as much as it is a failing of any file-based database which lacks a centralized server. Because the client library reads and writes directly to the database files it is possible for write operations to collide. There is no central process in charge of policing the interaction to the database. This is compounded if the database isn't local as the latency for file operations is considerably greater. This is true of all file-based databases, including SQLite.

If it's multiuser or networked, go RDBMS.

Re:In my opinion

[mrbluze]

Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile.

As correct as you are, there does not need to be a fine line between usability and security. There needs to be (and of course there will be) an ongoing evolution in software design to offer usability without compromising security. I reckon it won't be a long time before any software program that gets run in userspace (or any space) has to go out on bended knee requesting to do anything - forced to abide by a security policy by default which limits its access. I don't mean the old broad-brush users/groups/device permissions etc. model that is everywhere now, but stuff like "only allowed to read from this folder, only allowed to talk to this or that application, etc." with very low level behaviour controls.

I don't think this needs to result in a "the mouse pointer wants to move, confirm/deny" scenario, but that the software designers need to submit with their product a security policy within which their applicaton has to function. The user should be able to very easily browse this policy and see what the program expects to be able to do, and override things, such as "access the internet using HTTPS at port 3232 to server www.phonehome.net" or sloppy things like "read contents of /etc recursively" instead of "read contents of /etc/mostlyharmlesswidget/config".

I know things like this already exist and there is a limited implementation of it, but to me that just confirms the point that it is the obvious next step.

Re:In my opinion

[fm6]

Microsoft is a company, there goal is profit.

So what? You think there's no connection between security and profit? Next you'll be telling me that Ford's goal is profit, not reliable cars. Of course, nowadays they have neither...

This whole discussion is based on a faulty premise, that MS is leaving its Access users without a fix. They have a fix, and they've had it for some time: stop using MDB format and convert your databases to a data engine that isn't a POS. They've deprecated MDB and Jet Engine. That means they're telling their customers "Don't use that stuff any more, it's faulty." The fact that they continue to support customers who ignore the deprecation doesn't change that.

There is the little detail that Access itself is a POS. But that's designed in — not much they can do about that.

Re:why do people

[kelnos]

Unfortunately, with Access, it's not about the database itself, but about the GUI tools that many people find easy to use...

Re:This is not news to me...

[argent]

I hope we re-write our app in mySQL.

If Jet was adequate, you may be better off using SQLite.

It's not just small businesses

[RipSlider]

No matter what is written above, it's not just "Small business" which use Jet. I'm under an NDA(s), so won't name names, but lets say that, in the course of the last 18 months, I have worked in 1x Top 5 Bank and 2x top 10 financial services houses, in the UK, that would collapse if they loose their Access Databases within one week. ( Guess what my firm was brought in to do?) It's a similar situation to the household name that most people in the UK and US have some direct or indirect monies held in that currently has more than 700 staff in my company working 24 hours a day, 7 days a week to get all their data into a new data ware house after a rather worrying period where their main DB went down. What was the DB? It was a massively hacked about version of a CRM package that a developer got off a coverdisc ( PCPro magazine to be exact ), 6 years ago. Here's the thing: Big companies get into the same messes as small companies. If you truely believe that ALL of the top companies are using Oracle DB's, SOA architectures and data warehouses for mining purposes, your living in a dream world. Working as a solution architect that is meeting 2-3 major, as in top 250, clients a month, and looking at their issues, and the mess that they've got in to, I would be suprised if Microsoft manage to hold their "We're not going to fix it" position for long. Fact is, as soon as CIO's get stressed, they start to shout, and they'll shout at Microsoft if they feel that there is an issue. Remember that a lot of the major firms have 10 and 15 year support contracts with Microsoft, each of them bespoke. If one of them demands a fix, it will immediately be made available to all of the others on bespoke support contracts. At which point there is little reason to hold it back from the other major buyers, and so it cascades down the chain.

Re:This is not news to me...

[berzerke]

...all the dumb bastards that decided to rely on a free piece of software from a company with a horrible reputation for customer support and secure coding practices get what they deserve!

Except with the Internet and massive databases floating around, we are all interconnected. Jet DBs may not be massive, but that doesn't mean the company doesn't have access to other real databases. OK, so the stupid company gets owned. Now, if they have any info on me, that's in the criminal's hands, and good luck getting compensation even if the company admitted full responsibility. Their Internet connection can now be used to spam or DOS me. If they go out of business, think about all the employees who had nothing to do with the IT decisions (and those who opposed this particular one). They get to stand in the unemployment line. Vendors might get shafted on unpaid invoices.

Just because your system is secure doesn't mean you don't get affected by someone else's insecure system. And no, I don't know what the solution to that problem is.

Re:why do people

[TheRaven64]

Access is not a database, it's a RAD tool for data-drive apps. You use Access when you want to quickly create a GUI for processing data (well, now you'd probably write a web app, but in the '90s it was the thing to use). Once you've done this, you progressively add features to your simple tool. Eventually, you have something that sprawls over thousands of lines of unmaintainable code, depends on Access, and is vital to your company.

Re:Exactly the situation that Open Source wins

[TheRaven64]

If you insist on using a 10 year old Linux kernel and demanding that some quirky bug in it be fixed, I'm not sure how much support you'd get :)

The amount of support you get generally depends on how much you are willing to pay for it. This cost will go up as the product becomes less mainstream. The upper limit (when you are the only organisation using it) is employing a team of people to become familiar with the code and fix bugs. This is likely to cost a couple of hundred thousand dollars a year, but if you are running a multimillion dollar business on some in-house software that depends on something external, then it may be worth it. It's more likely that it will be cheaper to port your code to something newer at this point, however. This is a last resort with Free Software, but it is not even an option with proprietary code. If the proprietary vendor decides it is not in their financial interest to keep developing the software then you are stuck.

The cost of maintaining Free Software follows a curve. You can fairly easily predict how expensive it will be to keep maintaining something you depend on, and how expensive it is to move away. Once it becomes cheaper to move, that's what you should do.

Re:why do people

[Mr2001]

This puts you onto the path that will eventually lead to you buying MS SQL Server.

Or installing SQL Server Express for free?

Re:It's not just small businesses

[gnuman99]

Read at least the first paragraph before spreading more FUD. This is NOT a security problem as many pointed out here.

"allowing for arbitrary code execution once the victim interacts with a malicious JET-dependent file (such as an Access file)."

It is crazy. Like saying you downloaded a malicious .so file, installed it and it caused a security problem and the OS should not have allowed it. If you download malicious JET files, well, these tend to have code in them that can cause problems. DO NOT do that. So, this is not a critical problem unless your application is critically insecure by design in which case you have a different problem.

Re:Access leads to...

[Anonymous Coward]

"Access is the path to the dark side, for Access leads to SQL Server, and SQL Server leads to suffering."

Yes, you're funny, but SQL Server is a solid, well-done database. In terms of quality of product, I think it's the best thing that MS sells.

an mdb file is already an executable

[Xoc-S]

Of course modifying an mdb file causes a vulnerability. It would be stupid for it not to. As an analogy...he's saying that he can modify an executable file to execute arbitrary code. Well, duh! Since an mdb file can already have executable code in it, in the form of macros, references to ActiveX controls, and vba code, to treat it as anything but an executable is stupid. Microsoft Outlook and other email programs already treat mdb files as suspect. There are plenty of legitimate security holes around, but this isn't one of them.

Re:In my opinion

[jmv]

the problem with capitalism (the system you're pretty much describing, not libertarianism)

I don't believe it's a fundamental problem with capitalism itself. It's a problem with *unregulated* capitalism.

clueless morons who'd rather follow Big Corp's marketing dept. instead of educating themselves about the issues that affect them

Unfortunately, that won't be fixed unless the govt were to spend at least the same amount on advertisement as Big Corps to, which is highly unlikely (and possibly undesirable anyway). Otherwise, it's a lost battle. You've got billions spent on ads telling everyone to eat junk food (just one example) and a couple millions into actually telling people it's bad for you. You can say "people could stop paying attention to ads", but that would be missing the point. The fact is that ads *do* work. Otherwise Big Corps wouldn't be spending billions on it in the first place. If you can't get people to stop buying food that makes them sick, how the hell are you going to stop them from buying from companies that destroy the environment at a global scale. This is why I do not believe "voting with your wallet" will ever work except for a few rare case.

Access/JET/.mdb are enabling software

[blueridge]

I think the comments here regarding access as being tinker toy software are off the mark. Access has enabled scores of people to solve problems and manage data themselves.

Sure, you can sit in your geek tower and laugh at the dolts that use Access every day to solve thousands of data management issues. A secretary can be trained to use Access to manage moderately complex data (the numbers on all the new telephones, people interviewed for specific positions and letters sent relative to those positions, products bid out and vendor responses and on and on and on).

Do you really propose that she/he write a web application for this? Or just hack up some Perl with mySQL to manage these things? Or whip out a bit of .NET code? Or would you rather they ask IT to develop and application to do these trivial things?

Access has solved real world problems for real people for a long long time and will continue to do so regardless of how data and/or system design snobs feel about it. It is an empowering piece of software. I think some of the attitudes here are IT centric and not in keeping with the real business end of most companies.

Re:This is not news to me...

[TheRaven64]

MOD PARENT UP. I'm not sure which Microsoft product I'd recommend replacing with MySQL. Actually, I'm not sure what use I'd consider for MySQL.

If JET is adequate for your needs, SQLite is likely to be much better. If you are using SQL Server then you would be better off considering PostgreSQL as a migration path than MySQL.

Re:why do people

[pedestrian crossing]

depends on a particular version of Access

There, fixed that for ya....

Re:Access leads to...

[argent]

SQL Server is [...] the best thing that MS sells.

Damning with faint praise.

Enabling the ignorant

[Tony]

Access *has* solved real-world problems.

It has also caused real-world problems.

I have seen *way* more improperly-coded applications in Access and Excel than in any other language or programming system. Why is that? Because people are designing "databases" with no fundamental understanding of data management. People code spreadsheets with no real idea of how to identify and correct bugs. They *only* advantage the user has it knowledge of the data. (Which *is* a good thing, granted.)

Further, an access database represents an island of information. They are difficult to connect to the rest of the business knowledge base. They are usable only to one or a few people. This feeds into recreational empire-building.

And the worst part: businesses make actual *business decisions* based on these flawed islands of data.

But, it's up to management to figure out which data is "business-critical," and try to ensure that data is managed by data management professionals. Sure, not all data needs that kind of care. But I'd wager most *interesting* data does.