Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Fine Line Between Security and Usability

Posted by ScuttleMonkey on from the discarding-old-tech dept.

SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."

14 of 195 comments (clear)

  1. In my opinion by moogied · · Score: 4, Insightful

    Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does. That is where the line is drawn. Exactly where it becomes unprofitable.

    --
    So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
    1. Re:In my opinion by jmv · · Score: 4, Insightful

      That's what really bothers me about the libertarian-neocon view on corporations. You have at the same time:

      1) Companies are only there to make a profit and don't have to care about things like environment, security, ...

      2) Regulation is evil, let the companies do whatever they like and the market will sort it out.

      Logical conclusion from 1) and 2) is that we're pretty much screwed and back to some kind of feudalism. And no, most people do not vote with their wallets and the Market will not sort it out magically (otherwise, CO2 emissions would already be on the way down and there wouldn't be all these environmental problems).

      --
      Opus: the Swiss army knife of audio codec
    2. Re:In my opinion by mrbluze · · Score: 4, Insightful

      Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile.

      As correct as you are, there does not need to be a fine line between usability and security. There needs to be (and of course there will be) an ongoing evolution in software design to offer usability without compromising security. I reckon it won't be a long time before any software program that gets run in userspace (or any space) has to go out on bended knee requesting to do anything - forced to abide by a security policy by default which limits its access. I don't mean the old broad-brush users/groups/device permissions etc. model that is everywhere now, but stuff like "only allowed to read from this folder, only allowed to talk to this or that application, etc." with very low level behaviour controls.

      I don't think this needs to result in a "the mouse pointer wants to move, confirm/deny" scenario, but that the software designers need to submit with their product a security policy within which their applicaton has to function. The user should be able to very easily browse this policy and see what the program expects to be able to do, and override things, such as "access the internet using HTTPS at port 3232 to server www.phonehome.net" or sloppy things like "read contents of /etc recursively" instead of "read contents of /etc/mostlyharmlesswidget/config".

      I know things like this already exist and there is a limited implementation of it, but to me that just confirms the point that it is the obvious next step.

      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    3. Re:In my opinion by fm6 · · Score: 4, Insightful

      Microsoft is a company, there goal is profit.
      So what? You think there's no connection between security and profit? Next you'll be telling me that Ford's goal is profit, not reliable cars. Of course, nowadays they have neither...

      This whole discussion is based on a faulty premise, that MS is leaving its Access users without a fix. They have a fix, and they've had it for some time: stop using MDB format and convert your databases to a data engine that isn't a POS. They've deprecated MDB and Jet Engine. That means they're telling their customers "Don't use that stuff any more, it's faulty." The fact that they continue to support customers who ignore the deprecation doesn't change that.

      There is the little detail that Access itself is a POS. But that's designed in — not much they can do about that.
  2. This is not news to me... by rickb928 · · Score: 4, Insightful

    ... that Microsoft doesn't want to fix Jet.

    They'd rather you re-wrote your app and used MSDE, or something with .NET in it.

    Not a lot of money in supporting the db engine they give away.

    And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?

    A pox on them all. I hope we re-write our app in mySQL.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:This is not news to me... by berzerke · · Score: 3, Insightful

      ...all the dumb bastards that decided to rely on a free piece of software from a company with a horrible reputation for customer support and secure coding practices get what they deserve!

      Except with the Internet and massive databases floating around, we are all interconnected. Jet DBs may not be massive, but that doesn't mean the company doesn't have access to other real databases. OK, so the stupid company gets owned. Now, if they have any info on me, that's in the criminal's hands, and good luck getting compensation even if the company admitted full responsibility. Their Internet connection can now be used to spam or DOS me. If they go out of business, think about all the employees who had nothing to do with the IT decisions (and those who opposed this particular one). They get to stand in the unemployment line. Vendors might get shafted on unpaid invoices.

      Just because your system is secure doesn't mean you don't get affected by someone else's insecure system. And no, I don't know what the solution to that problem is.

  3. This doesnt matter by hcmtnbiker · · Score: 3, Insightful

    IMO this potential exploit is useless unless you're doing something with a JET database that you shouldn't be anyways. JET doesn't have database transactions, sure if you want to you can write them in at the application level but that's incredibly costly. If you're allowing people you don't trust to access a JET database something is wrong. JET will screw up if two users try to modify it at the same time, so why would someone you don't trust be using it, they could just as easily cost you enough damage by just modifying the DB while you are. SQL is used for that sort of thing, NOT JET.

    --
    If i had one dollar for every brain you dont have, i would have $1.
  4. Patching one hole in a pegboard by Volante3192 · · Score: 4, Insightful

    So to fire off this vulnerability, you have to run an .mdb file you found from "somewhere." Never mind these things could have embedded VB macros and other controls that could wreak havoc.

    Why not just start running installs you find from "somewhere?"

    Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?

  5. Re:do users care? by cdrguru · · Score: 3, Insightful
    Source code escrow was far more interesting in the late 1980s when some folks actually believed that if they paid for an application (and often a substantial fraction of its development) that they should have access to the source code if the author wasn't available. Part of this came from companies that got burned by the author abandoning their work for one reason or another. Part of it was also that it was a marketing tool - see, the source code can be gotten...

    Today that fantasy has mostly dispersed. Most companies know that if they don't develop an application internally they are at someone else's mercy. There are fewer failures of larger software publishers but even the larger ones sometimes abandon some application leaving the users in a bad spot. But having the source for a 150,000 line (or more!) application doesn't mean a company could compile it, much less fix a serious bug. In general it would take someone a long time to get familiar enough with something like this to be able to work on it with any degree of confidence. Especially a company with a mission-critical application needing a bug fixed - it would take months, often paying a consultant $150+ an hour.

    The "new" strategy seems to be:

    1. deal with larger, established companies whenever possible and hope their user base is large enough that they can just keep pushing out updates and have the product remain revenue-positive.
    2. Write off stuff that is abandoned because it is cheaper to switch to something else than try to independently resurrect something dead.
    3. Never ever do anything internally that could possibly be bought as off-the-shelf.

    Mostly, this is a lot smarter than the late 80s strategy.

  6. Re:Easy by Jeremiah+Stoddard · · Score: 3, Insightful

    No; I know of no industry that works like that other than software. First, if a product is defective, I can return it and get it refunded or replaced. Beyond the warranty period, I still have the ability to alter it myself. Not so with software -- I can't return an opened package, even if the program doesn't work, and the EULA prevents me from making ANY modifications. Also, 10 years from now if it is discovered that my model of car has a "security risk", i.e. it explodes at random without warning, the manufacturer can still be held responsible. In this case, the software companies are trying to ditch any responsibility for their product, and require that the user pay them again for a newer version if they want their problem fixed. What's really stupid is your suggestion that the consumer is obligated to deal with a defective product.

  7. Re:why do people by kelnos · · Score: 4, Insightful

    Unfortunately, with Access, it's not about the database itself, but about the GUI tools that many people find easy to use...

    --
    Xfce: Lighter than some, heavier than others. Just right.
  8. It's not just small businesses by RipSlider · · Score: 4, Insightful

    No matter what is written above, it's not just "Small business" which use Jet. I'm under an NDA(s), so won't name names, but lets say that, in the course of the last 18 months, I have worked in 1x Top 5 Bank and 2x top 10 financial services houses, in the UK, that would collapse if they loose their Access Databases within one week. ( Guess what my firm was brought in to do?) It's a similar situation to the household name that most people in the UK and US have some direct or indirect monies held in that currently has more than 700 staff in my company working 24 hours a day, 7 days a week to get all their data into a new data ware house after a rather worrying period where their main DB went down. What was the DB? It was a massively hacked about version of a CRM package that a developer got off a coverdisc ( PCPro magazine to be exact ), 6 years ago. Here's the thing: Big companies get into the same messes as small companies. If you truely believe that ALL of the top companies are using Oracle DB's, SOA architectures and data warehouses for mining purposes, your living in a dream world. Working as a solution architect that is meeting 2-3 major, as in top 250, clients a month, and looking at their issues, and the mess that they've got in to, I would be suprised if Microsoft manage to hold their "We're not going to fix it" position for long. Fact is, as soon as CIO's get stressed, they start to shout, and they'll shout at Microsoft if they feel that there is an issue. Remember that a lot of the major firms have 10 and 15 year support contracts with Microsoft, each of them bespoke. If one of them demands a fix, it will immediately be made available to all of the others on bespoke support contracts. At which point there is little reason to hold it back from the other major buyers, and so it cascades down the chain.

  9. Re:why do people by TheRaven64 · · Score: 4, Insightful

    Access is not a database, it's a RAD tool for data-drive apps. You use Access when you want to quickly create a GUI for processing data (well, now you'd probably write a web app, but in the '90s it was the thing to use). Once you've done this, you progressively add features to your simple tool. Eventually, you have something that sprawls over thousands of lines of unmaintainable code, depends on Access, and is vital to your company.

    --
    I am TheRaven on Soylent News
  10. an mdb file is already an executable by Xoc-S · · Score: 3, Insightful

    Of course modifying an mdb file causes a vulnerability. It would be stupid for it not to. As an analogy...he's saying that he can modify an executable file to execute arbitrary code. Well, duh! Since an mdb file can already have executable code in it, in the form of macros, references to ActiveX controls, and vba code, to treat it as anything but an executable is stupid. Microsoft Outlook and other email programs already treat mdb files as suspect. There are plenty of legitimate security holes around, but this isn't one of them.