OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Microsoft Access Trojan VBA: The overlooked "macro virus"
From: W. Craig Trader (ct7UNICORNSREST.ORG)
Date: Wed Jun 14 2000 - 13:55:27 CDT


On Tue, 13 Jun 2000, Johnny wrote:

> Microsoft Access Trojan VBA code: The overlooked "macro virus"
>
> --[ Brief Summary:
>
> Microsoft Access Databases are not afforded "Macro execution protection"
> in the manner of Word/Excel/Powerpoint documents. Attackers can insert
> trojan VBA code into MS Access documents to execute arbitrary commands
> on the remote machine.

[large snip of good coverage]

> --[ Conclusion
>
> Microsoft has certainly taken strides to protect against application
> trojans within the Office 2000 suite. However, MS Access would have
> to be (IMHO) gutted and fileted in order to follow the same security
> measures. In the mean time, be sure not to trust every MS Access
> database you stumble across in your inbox unless you're a pine
> user. ;)
>
> I have posted an example .MDB file illustrating some of the above
> examples on my web site http://johnny.ihackstuff.com/ in the
> security section. Be warned that the .MDB file will create
> a top-level registry key called "johnnyihackstuff.com". I have
> "protected" (*hrmph*) the code by disabling the VBA editor, and
> shutting down Access as soon as the payload is delivered. Access
> gets all pissy about that, and sends out a hideous error, but it
> makes it a pain to use this maliciously.

The problem is even worse than you project because most MS Access
developers are not going to deploy their applications on Access 2000.

I've had a chance to work with Access 2000, and while it offers a broad
range of enhancements (and bugfixes) over Access 97, it has one grave
flaw: it doesn't maintain file format compatibility with Access 97. Since
Access has never provided any export capability for most of the components
of an Access application (tables, queries, macros, reports or forms) and
since Microsoft only supports upgrading Access databases to the next (or
latest) version, moving an application from Access 97 to Access 2000 is
not a decision to be made lightly. Most deployed applications are still
running on Access 97 (or even Access 95 or Access 2.0!).

Thus Access 97 will be around to cause security problems for years to
come.

- Craig -