Computerworld - Timothy Mullen is a hacker in the truest sense because he's always testing the limits of technology. Take July, when he wasn't content to take at face value Microsoft's work-around for the Windows Access vulnerability. (That's the really scary vulnerability in which crackers can drop evil scripts into HTML tags [Computerworld Online, July 18] and exploit the Access database program to launch any type of program they want on Windows machines.)
Mullen, CIO at Anchorsign Inc., a Charleston, S.C., producer of electronic signs, analyzed Microsoft's work-around, which was included in its update and patch at www.microsoft. com/technet/security/bulletin/ MS00-049.asp.
The work-around gave administrators, through Microsoft Access Work Group Manager, the option of prompting users for their names and passwords before launching Access programs. The prompt tells the user that someone is trying to launch Access and allows the user to prevent that from happening.
Mullen's curiosity led to an amazing discovery. The work-around didn't protect machines running Access 2000.
That's because the work-around works only with the file type that executes Visual Basic for Access code in older versions of Access - the Microsoft Database file, said Scott Culp, Microsoft's security program director.
With Access 2000, Microsoft introduced new file types called Access Data Project and Access Project Extension that allow users to directly link into a SQL Server database so they can write code and directly program stored procedures, tables or other functions, Mullen says.
By exploiting these new file types, attackers can still launch malicious scripts without Access telling the user until after it has launched the malicious file, Mullen continues.
When Mullen explained this to the SANS Institute (www.SANS.org), a cooperative/educational organization for systems administrators and security professionals, research director Alan Paller described the problem as a serious threat.
"The problem is, you've got two different file types in Access that carry out the script - one of which requires a password, and one that doesn't," Paller says. "The one that doesn't require the password is much smaller, so the damage would happen faster."
On July 20, the SANS Institute contacted Microsoft.
"We thought it was prudent to pull the patch back and provide fixes for all the variants of this vulnerability, including those that aren't publicly known like [the Access 2000 vulnerability]," Culp says. "We're hoping to get a patch out soon. But it takes time to make it run correctly with the thousands of other program combinations it might end up in."
Although no victims have yet come forward, SANS Institute members worried about what would
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
Richi Jennings: Eolas shakedown -- please don't feed the (patent) trolls