MS Access 2/2

Gail E. Kampmeier gkamp at UIUC.EDU
Mon Aug 21 13:16:08 CDT 2000

III. Solution

Apply the patch provided by Microsoft

   Microsoft has released the following patch which addresses the "IE
   Script" vulnerability, as well as others:

   Please see MS00-055 "Patch Available for 'Scriptlet Rendering'
   Vulnerability" for additional information regarding other issues
   addressed by this patch:

   Note that the OBJECT tag issues addressed by MS00-049, MS00-055, and
   this advisory are separate from those addressed by the recently
   released MS00-056: "Patch Available for 'Microsoft Office HTML Object
   Tag' Vulnerability."

   Microsoft's initial workaround for this issue was for users to set the
   Admin password for Access. Since Access does not allow a user to
   disable VBA code embedded in Access data and project files, the CERT
   Coordination Center recommends that users follow the suggested
   workaround and set the Admin password even after the patch for this
   vulnerability has been applied.

   Appendix A contains information provided by vendors for this advisory.
   We will update the appendix as we receive more information. If you do
   not see your vendor's name, the CERT/CC did not hear from that vendor.
   Please contact your vendor directly.

Appendix A. Vendor Information

Microsoft Corporation

   Microsoft has published the following documents regarding this issue:

Appendix B. Additional Information

   The full list of OBJECT tag extensions which may be used to exploit
   this vulnerability is listed below:

     * .adp - Microsoft Access project file
     * .ade - ADP file with all modules compiled and all editable source
              code removed

     * .mdb - Microsoft Access database file
     * .mde - MDB file with all modules compiled and all editable source
              code removed
     * .mda - Microsoft Access VBA add-in

     * .mdw - Microsoft Access workgroup information file synonym for
              the system database used to store group and user account
              names and the passwords used to authenticate users when
              they log on to an Access database or MDE file secured
              with user-level security

   The patch provided by Microsoft addresses all the file extensions
   identified above.

   Please consult the following resources for further information
   regarding the other file types involved in exploited this


       The CERT Coordination Center thanks Timothy Mullen, Alan Paller
       and the SANS Research Office, and the Microsoft Security Response
       Center for their help in developing this advisory.

       Author: Jeffrey S. Havrilla

       This document is available from:


CERT/CC Contact Information

       Email: cert at
                Phone: +1 412-268-7090 (24-hour hotline)
                Fax: +1 412-268-6989
                Postal address:
                CERT Coordination Center
                Software Engineering Institute
                Carnegie Mellon University
                Pittsburgh PA 15213-3890

       CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

Using encryption

       We strongly urge you to encrypt sensitive information sent by
       email. Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

Getting security information

       CERT publications and other security information are available
       from our web site

       To be added to our mailing list for advisories and bulletins,
       send email to cert-advisory-request at and include
       SUBSCRIBE your-email-address in the subject of your message.

 * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2000 Carnegie Mellon University.

   Revision History

   August 11, 2000:  Initial release
Gail E. Kampmeier, Research Entomologist, Illinois Natural History Survey,
Box 5 NSRC, MC-637, 1101 W. Peabody, Urbana, IL 61801 USA
ph. 217-333-2824; fax 217-333-6784; email: gkamp at

More information about the Taxacom mailing list