ULS Flaw?

[Guest]

Hi Joan,
< It could be that PC1 or PC2 is joined by default to a mdw that isn't a
standard system.mdw (or is one that has been modified)?>
Since the Wizard creates a new mdb with a random SID for Admins, strips
Admin and Users of all permissions, changes the owner from Admin to the
curent user and assigns the new user a random SID, I don’t see how any
modification to system.mdw would allow it to open the secured mdb. Can you?

The only way I can explain what’s happenign is to assume that the Wizard in
this version of Access doesn’t change the Admins SID stored in the mdb file
if it is different than the Admins SID of the system.mdw of the current PC.
Can you think of any other explanation? If I’m right, you would agree that
this is a flaw in Access, or is there a valid reason for this behaviour?

 

[Joan Wild]

The wizard asks you if you want to modify the existing mdw or create a new one. It could be modifying a mdw that, although named differently than the default, really is just a copy of the default.

On the machine where the wizard appears to not secure it properly, login as a member of the Admins group using your 'secure' mdw and check that
Admin user isn't the owner of anything.
Users Group doesn't have permission to anything.

 

[Guest]

Hi Joan,
<On the machine where the wizard appears to not secure it properly, login as
a member of the Admins group using your 'secure' mdw and check that Admin
user isn't the owner of anything. Users Group doesn't have permission to
anything.>
- The Admin user doesn't own anything and the Users group has not permissions.

I discovered that the system.mdw on PC1 that was causing the trouble was
created by Access 97, and the testing I’ve done suggests that when Access
2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE
THE ADMINS SID STORED IN THE MDB FILE.

To confirm my theory, would you please do the following for me:
- Create an mdb in Access 1997.
- Secure it in Access 2002 using the security wizard.
- Replace the Access 2002 system.mdw file with the Access 1997 system.mdw.
- Try to open the secured mdb by double-clicking it.

 

[Joan Wild]

I discovered that the system.mdw on PC1 that was causing the trouble was
created by Access 97, and the testing I’ve done suggests that when Access
2002 secures an mdb file that was created in Access 1997, IT DOES NOT CHANGE
THE ADMINS SID STORED IN THE MDB FILE.

To confirm my theory, would you please do the following for me:
- Create an mdb in Access 1997.
- Secure it in Access 2002 using the security wizard.
- Replace the Access 2002 system.mdw file with the Access 1997 system.mdw.
- Try to open the secured mdb by double-clicking it.

Sorry but I can't reproduce this. Created a mdb in 97. Secured it using the wizard in 2002. Wasn't able to open the secured mdb via double-click. Replaced the 2002 system.mdw with the 97 system.mdw (not sure why you'd do this, but...); still wasn't able to open the secure mdb via a double-click.

Something else is causing this.

 

[Guest]

Hi Joan,
Thanks for trying. I'll try it on a couple of PCs at work and keep you
posted if you're interested.

 

[Joan Wild]

If you like, you can compact and zip up the 'secure' mdb that isn't working, and I'll have a look.

jwild at tyenet dot com

 

[Guest]

Hi Joan,
I sent the file to you May 10. have you received it?

Also, I sent the same file and instructions to the Microsoft Global
Technical Support Center. Here is their response:

From: "Cherry Tao (CS&S)"
Date: Fri, 11 May 2007 15:34:53 +0800
To: Peter Milewski
Subject: RE: case:SRZ070503001236:Acc2002:security issue

Hi Peter,

Thank you for the mdw file.

I followed all your steps one by one in previous mail and the secured
database can be opened by double click it when the 97 system.mdw is joined to
Access 2002!!!

In conclusion, if the database is created under 97’s system.mdw, secured
under 2002’s system.mdw, the user can still open the secured database under
original 97’s system.mdw by double-clicking it.

I assume this is a security vulnerability between Access 97 and Access 2002.
The workaround correctly is to use the same mdw file to create and secured
the database.

Please understand that Microsoft strives to engineer our products to satisfy
the needs of as many people as possible. Unfortunately, some problems
inevitably arise. We do try to resolve these problems to the best of our
ability. Having said that, we do appreciate the feedback we receive from our
customers such as you. I will submit this issue as a bug to our Offbug site.
The Offbug site is designed to gather information for the product team in
order to make the improvements in Office product releases and its internal.
Issues will be dealt with depending on product cycle needs and relevance to
current product version.

I also invite you to directly submit your ideas or comments to us anytime
via either of the following outlets.

http://support.microsoft.com/contactus/?WS=Wish
http://www.microsoft.com/office/community/en-us/wizard.mspx?type=suggestion

As for the fee, no fee will be applied for this incidence since it is caused
by our products.

In the meantime, I have performed the refund process for you and it will be
and should appear as a refund on your next billing statement; depending on
your billing cycle.

Our primary goal at Microsoft is to make sure our customers are very
delighted with the support they receive. If we don't meet the goal in this
case, please let me know what we can do further to improve your satisfaction
level.

Thanks again for your feedback on our products.

Regards,
Cherry

 

[Joan Wild]

Yes I did get it, and I responded by email. As I said, you had me follow a pretty obscure set of steps. I can't think that one would follow this in any real-world situation. I mean you create a mdb in 2002 while joined to the 97 system.mdw. Then you switch out the 97 system.mdw and replace it with the 2002 system.mdw. Then you proceed to secure it. Then you switch the system.mdw files back again. The secure mdb can be opened by the (what is now the default) 97 system.mdw file in 2002.

I guess in the strictest sense it is a bug; probably related to the fact that the system.mdw are different versions.(?) But you have to admit those are a pretty strange set of steps one would have to follow to create this situation.

The system.mdw for 97 is installed in the windows system folder; while the system.mdw for 2002 is installed in a different location. When one creates a 2002 mdb, it isn't likely they'd be using the 97 mdw. And even if they were, it is further unlikely that they'd then switch to the 2002 system.mdw and then secure it.

If I create a mdb in 2002 using the 2002 system.mdw and then secure it, I can't open it using the 97 system.mdw (nor the 2002 system.mdw). If I create a mdb in 2002 using the 97 system.mdw (and don't switch it back), I can't open it using either 2002 or 97 system.mdw.

Under what circumstances would you see someone switching the system.mdw so much?

For those interested in seeing it:
Using 2002, join the '97 version of system.mdw
Close and reopen 2002 and create a new mdb Test.mdb - close the database
Rejoin the 2002 version of system.mdw
Close Access and reopen Test.mdb (now you're joined to 2002 version of system.mdw)
Run the security wizard - just hit Next 7 times and then Finish
Rejoin the 97 version of system.mdw as the default.
Close Access; You'll now find that you can open the secure Test.mdb with the default set to 97 system.mdw

 

[Chris Mills]

Just a minor comment or two:

The SecFAQ DOES say that mdw's should not be converted (even though there is
such an option in Access).

Most times, it hardly matters and mdw conversions or mixings usually work
fine, but NOT ALWAYS.

The only one I know of for sure is this:
IF you convert a 97 mdw to later mdw it apparently works fine.
BUT, IF the 97 mdw was previously converted from an A2.0 mda, it will fall
over quick-smart on converting to a later version.
THEREFORE, a "97 mdw" is not enough info, because apparently it has
differences depending on how it was generated!

I don't think that particular bug was known when they wrote the SecFAQ,
therefore, the authors must have had suspicions about converting or mixing
mdw's independently!
-----
Of course, MS response is just so much PR BS, like so:
"We do try to resolve these problems to the best of our ability."
B.S. The above bug has been known for a long time. Not to mention, that the
SecFAQ (some of the most experienced people we have) recommend against
converting mdw's whereas MS still provides it as a standard option! SecFAQ has
contained that recommendation for some 10yrs or so!

"I will submit this issue as a bug to our Offbug site."
Why bother? A97 is many versions obsolete from MS point of view, but a long
way from that status in user's point of view.

"Issues will be dealt with depending on product cycle needs and relevance to
current product version. "
Exactly. ULS is obsolete!

It is also clear that, and perhaps understandably, MS tends not to bring out
"hot fixes" but has a standard program of 2 or 3 "standard" SP's in the
life-cycle. Therefore, fixes can't be expected soon even for the most horrid
of bugs!

If they acknowledge it as a bug, your realistic option remains to find a
workaround to avoid it (just as if it was your own bug!!!). I believe I have
been well-warned, by the SecFAQ, that mixing versions of mdw's is fraught with
potential you-know-whats. I do exactly that of course, mix versions, until I
strike some barrier.

In this case, recreate a brand-new mdw, as I had to do in shifting from A97 to
A2000.

If MS wanted to "come clean", they should acknowledge the SecFAQ advice and,
therefore, take "convert mdw" out of the Access menu! (simpler than fixing it
heh-heh)

Chris

 

[Joan Wild]

Chris, none of this requires converting a mdw; nor does it involve 2000. '97 mdw' means the system.mdw that gets installed with Access 97 (you can get a pristine copy from the installation disks if you want to be sure it's pure). '2002 mdw' means the system.mdw that gets installed with Access 2002 (you can rename all the *.mdw files on your machine, and start 2002 - it'll create a pristine one for you).

It is a bug, but I don't see it getting fixed:
a. pretty obscure circumstances in which it would arise - therefore very few customers affected
b. ULS has been deprecated in ACCDB format in 2007
c. official support for '97 is long over

 

[Chris Mills]

Point taken.
Nevertheless, I have always taken 6. of the SecFAQ (I think) as advising
against mixing ("second best").

The fact that I mentioned a bug unrelated to this one, and here is another one
related to mixing, gives me confidence in my lack of confidence in mixing!

In the end, of course, we agree that MS is unlikely to fix it, so the OP still
has to find a workaround. (Doesn't sound too difficult)
-----
OTOH, this sounds like a bad one. Potentially I could do everything "right",
and some other idiot with too much time could still mix&match and overcome my
security? (ignoring that there may be easier ways to break in of course)

That is, it's not clear to me if this is just a development thing to avoid, or
if it could be retrospectively done?

I also think it's weird (but that's no reason against!), that some info in the
mdb seems to be different depending on the version of mdw used at various
steps! I'm fascinated that's all, and maybe it has no practical impact.

Cheers
Chris

Chris, none of this requires converting a mdw; nor does it involve 2000. '97
mdw' means the system.mdw that gets installed with Access 97 (you can get a
pristine copy from the installation disks if you want to be sure it's pure).
'2002 mdw' means the system.mdw that gets installed with Access 2002 (you can
rename all the *.mdw files on your machine, and start 2002 - it'll create a
pristine one for you).

It is a bug, but I don't see it getting fixed:
a. pretty obscure circumstances in which it would arise - therefore very few
customers affected
b. ULS has been deprecated in ACCDB format in 2007
c. official support for '97 is long over

 

[Guest]

Hi Joan,
Thanks for trying this. I really appreciate you taking the time.
Unfortunately for me, this was a very real-world scenario: I had created my
database in Access 97 on one PC (PC1), continued my development and secured
the database in Access 2002 on another PC (PC2), and then found that I could
open the ‘secured’ database on PC1 (which was running Access 2002 at the
time) just by double-clicking the file. (For some reason Access 2002 on PC1
was still using the Access 97 System.mdw in C/Windows/System32.) This
shattered my confidence in ULS, and I wanted to find out how extensive this
bug was.

I believe now that the bug is that when Access 2002 secures an mdb file that
was created in Access 1997, IT DOES NOT CHANGE THE ADMINS SID STORED IN THE
MDB FILE.
As a result, before I run the Security Wizard from now on (in any version of
Access), I’ll copy all of the databases objects into a blank database created
in the version of Access that I’m running the Security Wizard in, and secure
the new database instead.

 

[Joan Wild]

Hi Joan,
Thanks for trying this. I really appreciate you taking the time.
Unfortunately for me, this was a very real-world scenario: I had created my
database in Access 97 on one PC (PC1), continued my development and secured
the database in Access 2002 on another PC (PC2), and then found that I could
open the ‘secured’ database on PC1 (which was running Access 2002 at the
time) just by double-clicking the file. (For some reason Access 2002 on PC1
was still using the Access 97 System.mdw in C/Windows/System32.) This
shattered my confidence in ULS, and I wanted to find out how extensive this
bug was.

Well, those are not the steps you outlined to me, and I can't reproduce, using the steps above.

I believe now that the bug is that when Access 2002 secures an mdb file that
was created in Access 1997, IT DOES NOT CHANGE THE ADMINS SID STORED IN THE
MDB FILE.

I think it is happening because you create a *2002* (not 97) mdb, while joined to a 97 system.mdw, and then you switch to the 2002 system.mdw and proceed to secure.

As a result, before I run the Security Wizard from now on (in any version of
Access), I’ll copy all of the databases objects into a blank database created
in the version of Access that I’m running the Security Wizard in, and secure
the new database instead.

Converting the mdb from 97 to 2002 should have done that, but I think the more important point is that you create that new blank mdb *while joined to the correct version of system.mdw*.

 

[Joan Wild]

OTOH, this sounds like a bad one. Potentially I could do everything "right",
and some other idiot with too much time could still mix&match and overcome my
security? (ignoring that there may be easier ways to break in of course)

That is, it's not clear to me if this is just a development thing to avoid, or
if it could be retrospectively done?

My testing demonstrates (for me) that it is a development thing to avoid.

If I create a 2002 mdb, using the proper version of system.mdw, and then secure it, it cannot be opened while joined to *any* version of system.mdw.