Bugtraq mailing list archives
Re: Microsoft Access Trojan VBA: The overlooked "macro virus"
From: ct7 () UNICORNSREST ORG (W. Craig Trader)
Date: Wed, 14 Jun 2000 14:55:27 -0400
On Tue, 13 Jun 2000, Johnny wrote:
Microsoft Access Trojan VBA code: The overlooked "macro virus" --[ Brief Summary: Microsoft Access Databases are not afforded "Macro execution protection" in the manner of Word/Excel/Powerpoint documents. Attackers can insert trojan VBA code into MS Access documents to execute arbitrary commands on the remote machine.
[large snip of good coverage]
--[ Conclusion Microsoft has certainly taken strides to protect against application trojans within the Office 2000 suite. However, MS Access would have to be (IMHO) gutted and fileted in order to follow the same security measures. In the mean time, be sure not to trust every MS Access database you stumble across in your inbox unless you're a pine user. ;) I have posted an example .MDB file illustrating some of the above examples on my web site http://johnny.ihackstuff.com/ in the security section. Be warned that the .MDB file will create a top-level registry key called "johnny () ihackstuff com". I have "protected" (*hrmph*) the code by disabling the VBA editor, and shutting down Access as soon as the payload is delivered. Access gets all pissy about that, and sends out a hideous error, but it makes it a pain to use this maliciously.
The problem is even worse than you project because most MS Access developers are not going to deploy their applications on Access 2000. I've had a chance to work with Access 2000, and while it offers a broad range of enhancements (and bugfixes) over Access 97, it has one grave flaw: it doesn't maintain file format compatibility with Access 97. Since Access has never provided any export capability for most of the components of an Access application (tables, queries, macros, reports or forms) and since Microsoft only supports upgrading Access databases to the next (or latest) version, moving an application from Access 97 to Access 2000 is not a decision to be made lightly. Most deployed applications are still running on Access 97 (or even Access 95 or Access 2.0!). Thus Access 97 will be around to cause security problems for years to come. - Craig -
Current thread:
- Microsoft Access Trojan VBA: The overlooked "macro virus" Johnny (Jun 13)
- Re: Microsoft Access Trojan VBA: The overlooked "macro virus" W. Craig Trader (Jun 14)
- Remote DoS attack in AnalogX SimpleServer WWW Version 1.05 Vulnerability Ussr Labs (Jun 15)