PC Week [Jan. 15, 1996]: Access 2.0 Security Flaw
Tony Toews
>My e-mail to PC Week editors (sent 12/11/1995) about the CopyObjects
>flaw of Access 2.0 ran on the January 15th edition of PC Week:
Good for you!
>Editor's Note: Microsoft has ackowledged this flaw, and a patch is
>available.
REALLY???? Where the @#(*&#@$ is it then??? Sorry, I realize that
this is a rhetorical question and not aimed at you, Weiqi.
Tony
Tony Toews, Independent Computer Consultant
Jack of a few computer related trades and master (or certified) of none.
Weiqi Gao
My e-mail to PC Week editors (sent 12/11/1995) about the CopyObjects
flaw of Access 2.0 ran on the January 15th edition of PC Week:
=====================================================================
Dear Editors,
I read with interest your coverage of the Windows 95 password-caching
bug (12/11/95, p.3, Eamonn Sullivan.)
I'm not sure if PCWeek has heard of the Microsoft Access 2.0 opyObject
flaw that allow a lower privileged user of an Access 2.0 application
access to information he doesn't have permission to access.
This has been a hot topic on the comp.databases.ms-access news group
as well as the Microsoft Access forum on CompuServe for quite some
time now.
Microsoft Access Team has posted a message on the CompuServe forum
acknowleging the flaw. However, without the power of the media, I
cannot independently confirm the authenticity of the message.
--
Weiqi Gao
weiq...@crl.com on the internet
=====================================================================
With the following:
=====================================================================
Editor's Note: Microsoft has ackowledged this flaw, and a patch is
available.
=====================================================================
--
Weiqi Gao
weiq...@crl.com
John Corrigan
>
>weiq...@crl.com (Weiqi Gao) wrote:
>>My e-mail to PC Week editors (sent 12/11/1995) about the CopyObjects
>>flaw of Access 2.0 ran on the January 15th edition of PC Week:
>Good for you!
>>Editor's Note: Microsoft has ackowledged this flaw, and a patch is
>>available.
>REALLY???? Where the @#(*&#@$ is it then??? Sorry, I realize that this
>is a rhetorical question and not aimed at you, Weiqi.
So let me see if I have this right... If you apply the patch to your copy
of Access you will no longer be able to copy objects that you are not
supposed to??? REAL GOOD -- NOT!
--
jcor...@teleport.com (John Corrigan)
.. OS/2 means...CURTAINS for Windows!
-- MR/2 2.26 #314
Tony Toews
>So let me see if I have this right... If you apply the patch to your copy
>of Access you will no longer be able to copy objects that you are not
>supposed to??? REAL GOOD -- NOT!
Why?
Eric Rossing
>jcor...@teleport.com (John Corrigan) wrote:
>
>
>>So let me see if I have this right... If you apply the patch to your copy
>>of Access you will no longer be able to copy objects that you are not
>>supposed to??? REAL GOOD -- NOT!
>
>Why?
Because if you apply this patch and think all is right with the world,
and then I steal your database and load it into an unpatched Access, I
can still use the flaw.
As has been posted several times, a fix would require changes to:
1) Access 2.0(to fix the bug)
2) The Access 2.0 file format(to keep unpatched Accesses from reading
your file).
3) The Jet 2.5 engine(to account for the Access file format change)
4) The Jet 3.0 engine(which can read 2.0 files - see above)
According to a previously-posted statement from MS(quoted from
C$erve), the "patch" is to upgrade to Access 7.0.
Eric Rossing
Intec Company, Inc.
eros...@sirus.com
Sundial Services
>>jcor...@teleport.com (John Corrigan) wrote:
>>
>>
>>>So let me see if I have this right... If you apply the patch to your copy
>>>of Access you will no longer be able to copy objects that you are not
>>>supposed to??? REAL GOOD -- NOT!
>>
>>Why?
>Because if you apply this patch and think all is right with the world,
>and then I steal your database and load it into an unpatched Access, I
>can still use the flaw.
>As has been posted several times, a fix would require changes to:
>1) Access 2.0(to fix the bug)
>2) The Access 2.0 file format(to keep unpatched Accesses from reading
>your file).
>3) The Jet 2.5 engine(to account for the Access file format change)
>4) The Jet 3.0 engine(which can read 2.0 files - see above)
>According to a previously-posted statement from MS(quoted from
>C$erve), the "patch" is to upgrade to Access 7.0.
Which (chuckle) ALSO has the same flaw. But from what I've seen of Access 7.0
the first time around (which is, I might add, a lot), there is no doubt in my
mind that there is going to have to be a 7.0.1 and *soon.* Maybe they can fix
it then.
Tony Toews
>>>So let me see if I have this right... If you apply the patch to your copy
>>>of Access you will no longer be able to copy objects that you are not
>>>supposed to??? REAL GOOD -- NOT!
>>Why?
>Because if you apply this patch and think all is right with the world,
>and then I steal your database and load it into an unpatched Access, I
>can still use the flaw.
>As has been posted several times, a fix would require changes to:
>1) Access 2.0(to fix the bug)
>2) The Access 2.0 file format(to keep unpatched Accesses from reading
>your file).
>3) The Jet 2.5 engine(to account for the Access file format change)
>4) The Jet 3.0 engine(which can read 2.0 files - see above)
Yup, I would expect a patch to cover all those area's. Which explains
my asking why? I would've assumed a fairly complex patch whereas you
weren't. That said I never really expect Mickeysoft to come up with
a patch of any kind!
>According to a previously-posted statement from MS(quoted from
>C$erve), the "patch" is to upgrade to Access 7.0.
Surprise, surprise!! Sheesh. And it's still got holes.