stupid security warning in 2003!

[Jacquie]

I upgraded to Access 2003. Now, every time I open a
database, I get the message "The file may not be safe if
it contains code that was intended to harm your computer.
Do you want to open the file or cancel the operation?"
Previously, it had told me I needed the latest Jet update,
and I installed it, but I'm still getting this stupid
message. How can I make it go away? Thanks!

 

[Paul Overway]

You (or the developer) have to get a digital certificate and digitally sign
the source code.

 

[Paul Overway]

Go to Verisign or Thawte and buy a certificate ($400 every 2 years), or
create your own using selfcert.exe (should be installed as optional
component in Office). If you use selfcert, the certificate is only good on
your PC. If your organization has a certificate server, that would be
another option, but more involved. See VBA help concerning digital
certificates and code signing.

 

[TC]

I assume that you distribute Access apps? How are you going to handle this?
No way am I going to shell out $400 (US?!!) *once*, let alone once every 2
years, for a digitial certificate. Would it be feasible/legal (as far as you
know) to distribute selfcert.exe along with the app, & have the app's
install program run it automatically? How would that certificate be tied to
your particular app? Is the app filename given to the selfcert run?

Sorry for the questions, but I don't have A2003 yet.

TIA,
TC

 

[TC]

Ok, thanks for that info. It is clearly more than just including selcert.exe
in your installation process :-(

And, thinking about it, if that was possible, the whole thing would be a
waste of time, because evil guy could do the same thing to deploy his evil
code & bypass the waning on the user's PC! So, that method is probably never
going to work.

As for moving to another development platform, I have about 75,000 lines of
VBA in my main product. Ain't no way I'm gonna spend the next few years
rewriting it, unless I am forced to do so, kicking & screaming, by a team of
mercenaries holding AK47's at my head.

You might post back later, when you've decided how to handle this issue.

TC

 

[TC]

From memory, some 20% of mine is comments! (gasp)

TC

 

[TC]

Are you saying that if security>medium & it is not signed, it will not run -
at all?

TC

 

[Paul Overway]

selfcert.exe was/is available in 2000 and 2002 as well....that is to allow
for signing Word/Excel/Outlook/Powerpoint macros. You have to install
Digital Certificate for VBA projects (it is not installed by default...but
is option during setup under Office Tools). So, you should be able to
experiment with it. Now, Microsoft is applying the same requirement to
Access apps...which I think is pretty stupid really.

Yes, I distribute Access apps. I haven't really decided what to do yet, but
moving to another development platform has crossed my mind. In any case,
I'm telling existing customers to hold off buying 2003, which is buggy
anyway. I've read of some potential work arounds, i.e., set macro warning
reg setting to low when you install your app. But this has some issues, and
may make you liable for any issues. In any case, I'm not at all thrilled at
the prospect of paying $400 every 2 years for what is essentially a digital
ID card. I wouldn't pay $400 for a driver's license either. Microsoft
probably has stakes in Verisign and Thawte.

 

[TC]

(snip)

With unsigned mdbs

If macro security is low, no prompt
If macro security is medium, user gets prompt with scary message...allow it
to open or not (user decides)
If macro security is high (default)...prompt...and it won't run

Paul, sorry to hassle you on this; does that apply to MDEs as well?

TIA,
TC (off for the day!)

 

[Cheryl Fischer]

Paul,

If you distribute/copy the Access application to a customer which has full
copies of Access 2003, can you use the selfcert.exe on each of the
customer's computers to get the application to run?

 

[Paul Overway]

Yes...if you distribute your source code...they can sign it themselves. But
if you distribute MDE (like me), the answer is no. It WILL run without
being signed....as long as macro security is medium and the user answers the
scary message correctly. I don't place that much confidence in users for
any of these scenarios though.

 

[Paul Overway]

Mine is ONLY over 30,000 lines. But I write tight code. ;o)

 

[Cheryl Fischer]

That is disappointing. Well, the really good utility writers came up with
solutions for the Outlook Security Prompt for stand-alone users and
organizations which don't run Exchange. Perhaps, they are working on this
issue, too.

 

[Paul Overway]

With unsigned mdbs

If macro security is low, no prompt
If macro security is medium, user gets prompt with scary message...allow it
to open or not (user decides)
If macro security is high (default)...prompt...and it won't run

 

[Paul Overway]

Yes...and adp, etc.

 

[Joan Wild]

With unsigned mdbs

If macro security is low, no prompt
If macro security is medium, user gets prompt with scary message...allow it
to open or not (user decides)
If macro security is high (default)...prompt...and it won't run

I think that for most (or a great deal of) Access users, they will set
security to low, and be done with it. Afterall, they won't want to get that
prompt every time they open their database. I'm talking about the single
user or small shop. They aren't going to buy a certificate, nor even bother
with a self-cert.

For a large organization or a developer that sells, it's a different story
of course, but I think the majority of Access users are not in this
category.

 

[TC]

I think that for most (or a great deal of) Access users, they will set
security to low, and be done with it. Afterall, they won't want to get that
prompt every time they open their database. I'm talking about the single
user or small shop. They aren't going to buy a certificate, nor even bother
with a self-cert.

For a large organization or a developer that sells, it's a different story
of course, but I think the majority of Access users are not in this
category.

Do you know whether the self-cert program is freely redistributable? (eg. as
part of a commercial product's installation process)

TC

 

[Paul Overway]

It is part of Office. But really, there is little point in distributing it
to end users. If you are distributing run-time, user can't sign code. If
you are distributing to users with Access/Office, they will already have it.

 

[bevnz]

I have gotten past the warning by doing the following;

Open Access and set your security level to low. Answer the
the security warning as "YES" you want to block unsafe
expressions. You will see a msgBox telling you to restart
Access before the new level will take effect.

Close down Access then restart Access. The warning should
be gone and you should be able to open your database.

I can now open all my databases without any warnings at
all. However, I haven't deployed one with this setting
using the Access "Runtime" only to see if it works or not.

Bevnz

 

[cafe]

Ok, understood. I never do runtime, I always require the user to have a
functioning copy of retail Access.

However, if I includef the selfcert program in my installation process, I
would run it from within that process, and the user would not have to do
anything, right? Or, wrong? Because, if I >could< do that, then, an evil
guy could do the same with evil code?

TC