The Fine Line Between Security and Usability 195
SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."
Re:why do people (Score:3, Interesting)
Yeah it's true that Access is a gateway drug to SQL Server. But that IS a viable upgrade path for that little workgroup app that some PHP decided to expose to a 10,000 node WAN.
Re:I always go with OpenBSD. (Score:5, Interesting)
Re:This is not news to me... (Score:3, Interesting)
When I worked at Microsoft, I remported what I felt was a serious security flaw. Despite the fact that the exploit I remorted resulted in one of the lead engineers handing me his Hotmail password, this was seen as a user issue and not a security one (it had to do with options for encoding URL's so that the @ sign could be sufficiently obfuscated that nobody could be expected to see what was going on), that is, until a few months later when someone sent out phishing emails appearing to come from Microsoft. (It was then fixed in a hurry).
I have had other experiences at Microsoft suggesting that only when it becomes a PR problem for Microsoft will they fix something which does not fit their ideas of how the software is supposed to be used. Their answer in this case suggests that the feeling is that the solution is not to use untrusted sources of Access dbs. Just wait for someone in a business to show how this can be done using Access with far fewer permissions, and then it might get fixed.