Slashdot Mirror
The Fine Line Between Security and Usability
SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."
Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does. That is where the line is drawn. Exactly where it becomes unprofitable.
So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
When I put together a system and security is paramount, there's really only one choice: OpenBSD.
Their no-bullshit policy with regards to security and high-quality code is what allows them to put together such a stable, secure, and high-quality operating system.
And I always use their security-hardened versions of GCC and Apache, just to ensure that the web sites I'm serving are as secure as possible.
Mordac, the preventer of information services, makes a statement on security versus usability:
http://dilbert.com/comics/dilbert/archive/dilbert-20071116.html
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
... that Microsoft doesn't want to fix Jet.
.NET in it.
They'd rather you re-wrote your app and used MSDE, or something with
Not a lot of money in supporting the db engine they give away.
And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?
A pox on them all. I hope we re-write our app in mySQL.
deleting the extra space after periods so i can stay relevant, yeah.
a few years back, I started up a software company. Although some of our stuff was open source, starving isn't a hobby, so some of it was closed. One thing we tried was (for a slight increase in price) guaranteeing to fix any critical bugs even if we no longer supported the software. If we couldn't provide a fix, the source code was in escrow so they could access it. There was zero interest in it.
Do you even lift?
These aren't the 'roids you're looking for.
I may have misunderstood, but it seems TFA is not about a fine line, but a chasm?
It's a fine line between madness and genius. Between cool and corny, or even between love and hate.
But there is no point where usability suddenly flips over into security, is there? And they are both good things.
It's a very old technology. No new projects start with Access in its heart.
If someone has paid for the software, the vendor should be obligated to fix malfunctions and security risks for as long as the software is in use, or until they release the source. If you pay for something, you have the right to expect it to work; if you're not given the means to correct issues with it, you have the right to expect that the company who took your money corrects those issues.
Umm, isn't that the format used in the most popular voting machines to store all our votes?
This is exactly the type of situation that proves why Open Source should exist and be used by any company with a brain and the willingness to retrain or dump their Windows Administration teams.
Well supported and popular technology? Check. Original developer not interested? Oh well, grab the source and fix it. If you can't, someone else will because it's popular.
End result - a secure platform for your legacy (and current!) applications without costly redevelopment costs.
Maybe the question isn't were the line should be drawn, but who should do the drawing?
IMO this potential exploit is useless unless you're doing something with a JET database that you shouldn't be anyways. JET doesn't have database transactions, sure if you want to you can write them in at the application level but that's incredibly costly. If you're allowing people you don't trust to access a JET database something is wrong. JET will screw up if two users try to modify it at the same time, so why would someone you don't trust be using it, they could just as easily cost you enough damage by just modifying the DB while you are. SQL is used for that sort of thing, NOT JET.
If i had one dollar for every brain you dont have, i would have $1.
I've gotta say, it's comforting to see this again. It felt weird to not have to quickly tab down a few times so that bystanders wouldn't think I was reading about eating someone elses fecal matter. I, for one, am glad to welcome back "Mr. eating-shit-troll" back into the Slashdot fold.
Today's lucky number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
This (or similar) bug was reported by HexView in 2005 and they also received no word from MS. http://www.hexview.com/docs/20050331-1.txt
So to fire off this vulnerability, you have to run an .mdb file you found from "somewhere." Never mind these things could have embedded VB macros and other controls that could wreak havoc.
Why not just start running installs you find from "somewhere?"
Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?
keep using access? It is so dinky as a relational database... I'm not honestly sure what it *is* supposed to be used for.
Almost all other OSS model vs proprietary model arguments are at least somewhat fuzy. Ethics and economics often seem to be in conflict. In many cases neither is tested or clear and we can't even agree on what goes in the pro and what goes in the con columns for each model individually. This case though highlights the fact very clearly that even if all software in your stack is not OSS at least the platform and common libraries should be.
JET is a depreciated platform and is no longer being actively developed or really supported in new projects by Microsoft. *OK* A perfectly reasonable position to take when you do have functionally replacement products being offered, which they do in the form of MSDE.
Every product has a life cycle which eventually is end of life, JET is old obsolete and makes little since for new work on todays more powerful platforms. *OK*
Lots of projects and products are build around JET, many of them are not obsoleted, replaced, and newer versions based on different storeage backends might be quite a ways off. There is a lot of JET stuff out there, lots.
The OSS model in this case would result in somebody fixing it, simplly because so many people use it for so many things. Even if the original authors could not be bothered lots of organizations or individuals out there would have a vested interest in makeing a fix. They would then be prettly likely to share it because there is no reason not to do so. In other words the entire software ecology around JET could be secure while other people and vendors migrate off those depricated platform components, instead everthing is going to remain vulnerable or broken unless Microsoft(insert any other vendor here for other cases) can be shamed into patching it.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
The "article" submitter is only trying to drum up hits to his blog. When it's this obvious, I don't even bother clicking through.
Perhaps it wouldn't solve everything, but IMHO not directly linking the submitter's name to a non-slashdot URL would greatly limit the article spam on here. And, of course, not letting someone use slashdot to blatantly toot his own horn would limit the practice further.
Microsoft's response came as a surprise to him -- it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications.
Has he been living under a rock for the past 20 years? Why would this come as a surprise to him?
"Microsoft is a company, their goal is profit." [spelling correction]
In my opinion, that is a common mistake. Microsoft's main purpose is abuse, not profit. Microsoft is not a software company that is routinely abusive, it is an abuse company that uses software as a means of delivering abuse. If you look at it that way, Microsoft is excellent at what it does.
That follows the general rule that what happens over a long period of time is what the people involved meant to happen.
Being abusive may or may not make money, but it always causes harm to the abusers. That's why Bill Gates has trouble with depression. It's easy to guess that a chair-throwing monkey boy is not a happy camper, either.
Abuse is why Sandy Weill, formerly of CitiBank, had heart trouble, I think. That's why Dick Cheney, U.S. vice-president has heart trouble. (Whaaaat, you say. Dick Cheney has a heart???)
We seem to live in a society dominated by abusers. The dollar is being inflated so that the U.S. government will have enough money to fight a war, so that oil and weapons investors can get control of the oil supply.
it can be crossed.
consult with/trust in yOUR creators. providing more than enough of everything for everyone without any distracting infactdead personal gain motives, whilst badtolling unprecedented evile, using an unlimited supply of (user friendly, highly secure) newclear power, since/until forever. the lights are coming up all over now. see you there?
Why shouldn't those goals be reflected by our corporate overlords?
They completely borked asp support in the sp2 release for the otherwise excellent 2003 server.
How could any test plan have missed that little one. Anyone running any kind of real asp app would be dead in the water with this one. Either they were grossly incompetant, or they purposely nuked asp. Months later and you still have to make a special support request for this patch.
Microsoft no longer cares about most markets because the only one that doesn't have major competition is the PC. Microsoft can't deal with the Pandora's Box of updating critical, widely used things when Linux is slowly gaining ground. If they lose the PC, they lose their only near-monopoly. So they don't care about other issues because they aren't as important to the incentive of making a profit as maintaining a near-monopoly. Hopefully everyone understands the previous sentence... it basically summarizes the rest of the comment.
$ make available
They're making a big deal of the following in both of the links in the article, repeating the same phrase over and over: "some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection"."
They say this twice in one paragraph at one point.
But what does that really mean?
That means a server running ASP, that also is allowing end users to upload .mdb databases to it (???), AND to expose them from whatever location they've been uploaded to so that Connections can be made to them, will be vulnerable.
That's a pretty hefty list of "ifs". If you're letting your users upload .mdb databases to your webserver at all, let alone to a publicly accessible folder, you're already asking for severe trouble. I can't imagine a website out there that would allow such uploading/public exposure to happen that doesn't already have severe security flaws merely by the amount of freedom its given its users in what they can do on the site.
This is definitely a vulnerability, but the impact to ASP/ASP.NET servers is minimal if the hosts are implementing common sense security practices/user restrictions already.
-Vendal Thornheart
That convenience and security are at odds is a flawed premise.
Secure software doesn't have holes. User-friendly software is intuitive and does what it should.
No reason the two can't happily co-exist.
Consumer protection rules are very clear on this. If the product is defective, its still covered under a warrantee and must be repaired or replaced at Microsoft's expense.
It gets very interesting when the problem starts to cause other people problems under "innocent third party" laws. The only draw back is that it too nearly 30 years for these laws (and an act of congress) to take out the lawn darts so I don't think this has any of the legal team at Microsoft losing sleep.
"Access is the path to the dark side, for Access leads to SQL Server, and SQL Server leads to suffering."
wouldn't they be talking about sharepoint?
I kinda RTFA, but I don't see how you came up with the title for this article. Have you been using the Bullshit Generator again? You did not, in my opinion link usability and security with your words...get some more words please.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
No matter what is written above, it's not just "Small business" which use Jet. I'm under an NDA(s), so won't name names, but lets say that, in the course of the last 18 months, I have worked in 1x Top 5 Bank and 2x top 10 financial services houses, in the UK, that would collapse if they loose their Access Databases within one week. ( Guess what my firm was brought in to do?) It's a similar situation to the household name that most people in the UK and US have some direct or indirect monies held in that currently has more than 700 staff in my company working 24 hours a day, 7 days a week to get all their data into a new data ware house after a rather worrying period where their main DB went down. What was the DB? It was a massively hacked about version of a CRM package that a developer got off a coverdisc ( PCPro magazine to be exact ), 6 years ago. Here's the thing: Big companies get into the same messes as small companies. If you truely believe that ALL of the top companies are using Oracle DB's, SOA architectures and data warehouses for mining purposes, your living in a dream world. Working as a solution architect that is meeting 2-3 major, as in top 250, clients a month, and looking at their issues, and the mess that they've got in to, I would be suprised if Microsoft manage to hold their "We're not going to fix it" position for long. Fact is, as soon as CIO's get stressed, they start to shout, and they'll shout at Microsoft if they feel that there is an issue. Remember that a lot of the major firms have 10 and 15 year support contracts with Microsoft, each of them bespoke. If one of them demands a fix, it will immediately be made available to all of the others on bespoke support contracts. At which point there is little reason to hold it back from the other major buyers, and so it cascades down the chain.
is not mainstream and not used anymore?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
My proposal is that, at least for security-sensitive products, closed-source software vendors must be forced by law to release their products as open-source after X years from the moment they stop properly handling user complaints. So, if you release a product used in sensitive installations and you stop supporting it after 3 years, you should be expected to open-source it as to allow the user community to maintain it.
This should solve abandonware, which is a very serious problem in security-sensitive software. Releasing closed-source commercial software and then stopping supporting it is bad, especially when it comes down to security. At least, they should give out the code and allow the users to do their best themselves.
Another idea (a bit more extreme) is that, just like patents, closed-source vendors should open-source their stuff X years after the initial software release. Some companies do this voluntarily and it has helped, rather than negatively affected, their sales.
Even though I dislike having too many laws and too much government, I would feel positive about such laws if any lawmakers would be willing to consider them.
Comment removed based on user account deletion
... unless said alternatives don't exist. C.f. translation memory applications that can accurately and adequately handle Japanese text. The only one I'm aware of that runs on Linux, for example, is OmegaT, which still doesn't quite cover my needs.
And I'm far from alone, given what I've read here on /. and elsewhere about specific-needs software what can only be found on the Windows platform. Not all of us can get by with just basic office document processing + web browsing.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Security
---------------------
Microsoft
Was that so hard?
And I have to say I'm deeply disappointed in both Shit-eating Troll and Goatse Guy.
They had an opportunity in the Internet Brownout thread to be both apposite and nauseating. Both failed.
Weak, boys. Very weak.
You can't be serious, there is no point. This poster is doing nothing but trying take your time and/or offend you. They aren't trying to push anything except shock. It might not even be the same person doing this over and over again.
Trolling rarely has a point, and this is no different.
Microsoft is not interested in fixing a security flaw in the database they use for their Active Directory system? What, do they not care about the security of their authentication and authorization network OS database?
Color me unsurprised, really (I don't know why they don't use SQL Server anyway, but whatever the reason, they don't yet).
Is Capitalism Good for the Poor?
Stimpy, sometimes your wealth of ignorance astounds me.
.mdb file, you've already won, there is no need to do any stack overflow bulls*it. It's an *executable* file format, you idiots.
Microsoft won't patch this because the Jet format already allows for column type definitions that execute callbacks to calculate the value.
http://msdn2.microsoft.com/en-us/library/ms684489.aspx
If you can trick someone into opening a malicious
Of course modifying an mdb file causes a vulnerability. It would be stupid for it not to. As an analogy...he's saying that he can modify an executable file to execute arbitrary code. Well, duh! Since an mdb file can already have executable code in it, in the form of macros, references to ActiveX controls, and vba code, to treat it as anything but an executable is stupid. Microsoft Outlook and other email programs already treat mdb files as suspect. There are plenty of legitimate security holes around, but this isn't one of them.
I'd just like to say thank you for making my job easier.
"Keeping all student records in one table, in perpetuity, so the engine has to slog through records from 10 years ago to find today's current students."
Please tell me this is a mistake, that you really don't believe I can't efficiently find current students in this table? Have you ever heard of indexes?
I think the comments here regarding access as being tinker toy software are off the mark. Access has enabled scores of people to solve problems and manage data themselves.
.NET code? Or would you rather they ask IT to develop and application to do these trivial things?
Sure, you can sit in your geek tower and laugh at the dolts that use Access every day to solve thousands of data management issues. A secretary can be trained to use Access to manage moderately complex data (the numbers on all the new telephones, people interviewed for specific positions and letters sent relative to those positions, products bid out and vendor responses and on and on and on).
Do you really propose that she/he write a web application for this? Or just hack up some Perl with mySQL to manage these things? Or whip out a bit of
Access has solved real world problems for real people for a long long time and will continue to do so regardless of how data and/or system design snobs feel about it. It is an empowering piece of software. I think some of the attitudes here are IT centric and not in keeping with the real business end of most companies.
I'm hoping Europeans will help me with the moderation of the parent post. I doubt those who moderated it down really disagree. It's just that many U.S. citizens have difficulty accepting that their government has become somewhat corrupt.
Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications.
Correct. It's more important to code up stupid gadgets that serve no purpose other than to slow down your computer.
In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him
This morning a independent security researcher was suprised that once again the sun rose into the sky this morning. "I was really shocked that the Earth is still spinning, even though it has been for billions of years."
Think Deeply.
Comment removed based on user account deletion
Explain Vista then.
XP was China White. Vista is "cheese" .
This is your brain on Windows. Any questions?
Access *has* solved real-world problems.
It has also caused real-world problems.
I have seen *way* more improperly-coded applications in Access and Excel than in any other language or programming system. Why is that? Because people are designing "databases" with no fundamental understanding of data management. People code spreadsheets with no real idea of how to identify and correct bugs. They *only* advantage the user has it knowledge of the data. (Which *is* a good thing, granted.)
Further, an access database represents an island of information. They are difficult to connect to the rest of the business knowledge base. They are usable only to one or a few people. This feeds into recreational empire-building.
And the worst part: businesses make actual *business decisions* based on these flawed islands of data.
But, it's up to management to figure out which data is "business-critical," and try to ensure that data is managed by data management professionals. Sure, not all data needs that kind of care. But I'd wager most *interesting* data does.
Microsoft is to software what Budweiser is to beer.
Oh gee, these critical binaries have big problems and the vendor is walking away.
How come I didn't think that might happen in 1995 when I bought the binaries? Looks like "free as in freedom" matters sometimes.
"If you're not passionate about your operating system, you're married to the wrong one."
(Ó_ò)
1. If you're in business to make a profit, you realise that long-term profitability depends on goodwill, reputation, brand image and promise..or simply put, not fucking over your customers. Microsoft scores poorly on this one - like many monopolies. But things are changing, as the marketplace slowly starts to punish them. Lack of competition and some real innovation, (getting things to work *enough* - I don't mean pseudo innovation like IBM's OS/2 - a much better product, but only if you had IBM PS/2s) got them where they are - now they are losing it. Studies have shown that customers will put up with substandard quality for the 'latest' stuff, especially if it realy does deliver genuine value, (when it works). Urm - what's compelling about Vista? Office?
2. Making profit also means you're clear about what support costs, and for how long you are offering it. Options exist to get rid of Jet, (which, if my memory serves me correctly, has always been a pile of buggy inscure crap, and the subject of many Office-related security patches), so - just say either stop supporting it, (watch the market scream), or *gasp* make people pay for updates...
The problem is, M$ has always turned into a hybrid of 'product' comany and 'software & services' company. Watch while they kill support for XP in the same way, to try and push 'product' sales of Vista. I'm sure - when faced with massive switching costs - big corp. users would pony up plenty for ongoing XP updates...
Whoa... hold on a second people! Did ANY of you even bother to read the "response" from Microsoft?
.mdb file. Since they can be dangerous, the mailer rejected the email.
"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"
THIS IS AN AUTO-REPLY MESSAGE!!!!!!!!!!! C'mon people? You have NEVER seen this before? This simply means that when he "notified" Microsoft, he didn't bother to zip the
Maybe he should try zipping the mdb file, then try resending!
Sad.
There are other alternatives and you can vote with your pocket
and use them
you can migrate mdb to firebird or sqlite or postgres and then send them the feedback
http://www.google.co.uk/search?q=openoffice%20firebird&
http://www.firebirdsql.org/manual/migration-mssql.html
http://kexi-project.org/about.html
opensource projects accept the security patches that are created
developer http://flamerobin.org
Access (and Excel, for that matter) have also enabled people to hack up 'business solutions' without the required baseline skills to evaluate if their 'solution' is actually technically, economically or logically correct.
in an age where transparency in the decision process is ever more important I keep coming across these 'solutions' where the original architect has long vanished, the decision model is at best unclear and is NEVER properly documented and sometimes whole departments depend on the result of such a black box.
The problems that causes are immense. Apart from the failure risk (those things are rarely backed up in a way that agrees with their importance), there's also the problem that such a model bears no scrutiny and is almost impossible to adapt to changing business situations, nor is it obviously under a decent change control mechanism.
Having said that, Access did at least enable people to discover what IT can do for them, as long as they don't think that hacking something together in Access makes them IT specialists. Access has sometimes allowed clients to model a Proof Of Concept quickly, although some of them seem to be switching to OpenOffice's Base (no specific reason, I just started to come across it). I must have a look at that..
Insert
The problem with those toys is that they have become business critical without having the capability to be in that position. I worked in the Global IT Risk Management section of a large bank for a while (non-UK), and -irony of ironies- their core risk management DB was in Access, and their way of speeding up this dog was to ship it to a fat terminal server in India and use Terminal Services.
.. a huge risk. The irony is IMHO breathtaking, especially since what it does is so basic it would take even an average college graduate with web and MySQL or PSQL skills two weeks to replicate the functionality, but documented (and a heck of a lot faster). I think it would have the shortest ROI time ever. It gets worse: the sole contractor who knows this thing .. is leaving.
The contractor in charge of this thing has a job for life, so he's not going to change it, inefficient as it is with muliple users accessing it (and license limits) and the company is too resource starved to do anything about it, so at the core of these guy's risk management processes sits
And that's not where it stops. Once something like that works, everyone else piles on top of it with custom reports, other datafeeds, and before you know it you have the complex web of interdependencies Microsoft likes to keep itself in business, all built on the loose sand called Access. When that falls over, a large part of the business will fall on its nose, and I've had friends spend months unravelling stuff like that whilst keeping the show going at the same time.
Non-IT people should stay away from toys. Use it for Proof of Concept, thanks, but then let's use something sensible as core platform.
Sensible Access
Insert