MS Access 2/2
Gail E. Kampmeier
gkamp at UIUC.EDU
Mon Aug 21 13:16:08 CDT 2000
Apply the patch provided by Microsoft
Microsoft has released the following patch which addresses the "IE
Script" vulnerability, as well as others:
Please see MS00-055 "Patch Available for 'Scriptlet Rendering'
Vulnerability" for additional information regarding other issues
addressed by this patch:
Note that the OBJECT tag issues addressed by MS00-049, MS00-055, and
this advisory are separate from those addressed by the recently
released MS00-056: "Patch Available for 'Microsoft Office HTML Object
Microsoft's initial workaround for this issue was for users to set the
Admin password for Access. Since Access does not allow a user to
disable VBA code embedded in Access data and project files, the CERT
Coordination Center recommends that users follow the suggested
workaround and set the Admin password even after the patch for this
vulnerability has been applied.
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
Appendix A. Vendor Information
Microsoft has published the following documents regarding this issue:
Appendix B. Additional Information
The full list of OBJECT tag extensions which may be used to exploit
this vulnerability is listed below:
* .adp - Microsoft Access project file
* .ade - ADP file with all modules compiled and all editable source
* .mdb - Microsoft Access database file
* .mde - MDB file with all modules compiled and all editable source
* .mda - Microsoft Access VBA add-in
* .mdw - Microsoft Access workgroup information file synonym for
the system database used to store group and user account
names and the passwords used to authenticate users when
they log on to an Access database or MDE file secured
with user-level security
The patch provided by Microsoft addresses all the file extensions
Please consult the following resources for further information
regarding the other file types involved in exploited this
The CERT Coordination Center thanks Timothy Mullen, Alan Paller
and the SANS Research Office, and the Microsoft Security Response
Center for their help in developing this advisory.
Author: Jeffrey S. Havrilla
This document is available from:
CERT/CC Contact Information
Email: cert at cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available
from our web site
To be added to our mailing list for advisories and bulletins,
send email to cert-advisory-request at cert.org and include
SUBSCRIBE your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.
August 11, 2000: Initial release
Gail E. Kampmeier, Research Entomologist, Illinois Natural History Survey,
Box 5 NSRC, MC-637, 1101 W. Peabody, Urbana, IL 61801 USA
ph. 217-333-2824; fax 217-333-6784; email: gkamp at uiuc.edu
More information about the Taxacom