Access Memory Leak patched after only 17 years! (1 Viewer)

isladogs

MVP / VIP
Local time
Today, 23:19
Joined
Jan 14, 2017
Messages
18,186
The latest Office Watch email that I receive contained a link to this article:Another Access memory leak finally patched

According to the article the issue has existed in all versions of Access since 2002. It could potentially be used by hackers to obtain private information though that seems unlikely in most cases.
The patch was released last month but only applies to A2010 and later (the versions currently supported).
So if you have A2002/3/7, the issue has still not been fixed and probably never will be!

The timing of this patch and the versions affected does make me wonder whether this was the security update that led to the infamous query is corrupt bug as a side effect. Purely conjecture on my part, but if so, it may explain why MS didn't immediately withdraw that security update
 

GinaWhipp

AWF VIP
Local time
Today, 19:19
Joined
Jun 21, 2011
Messages
5,901
Hmm, at that rate the *Database in an inconsistent state* should be fixed long after I retire! :D
 

shadow9449

Registered User.
Local time
Today, 19:19
Joined
Mar 5, 2004
Messages
1,037
I read the release and I may not be understanding this correctly:

Both are faults in the way Access saves data to memory locations in ways that hackers could exploit. Those memory chunks are usually useless but could contain private information likes names, passwords etc. Anything saved to memory could get dumped into an Access database or as Microsoft puts it “compromise of the confidentiality, integrity, or availability of a user’s data, or of the integrity or availability of processing resources.”

What type of data are we talking about that would be compromised? Data in the Access database? If so, then the leaked memory isn't any less secure than the Access database. Most of us Access users know that Access databases aren't the best place for confidential data.

Put another way, if a hacker wanted your secret data, it would probably be a whole lot easier to get into the database tables and grab the mother-lode than to scan for leaked data blocks. I don't know if this is true if the data is in the weakly-encrypted formats allowed by Access 2010 and above or using Colin's methods of hiding data, but the rule of thumb remains not to use Access for protected data.

I may be misunderstanding the article.
 

isladogs

MVP / VIP
Local time
Today, 23:19
Joined
Jan 14, 2017
Messages
18,186
I agree that the linked article isn't clear and nor are the two MS article announcing the two fixes.
I suspect the Doc_Man may have something to say on the matter

Most security vulnerabilities are difficult for mere mortals like ourselves to understand. However, experienced hackers are on the lookout for any back doors which allow them to extract useful data

I do know of a method (which I'm not going to explain for obvious reasons) by which the contents of an encrypted database could until now be exposed externally as unencrypted data.
I'll run a test later and see if that's now been fixed
 

shadow9449

Registered User.
Local time
Today, 19:19
Joined
Mar 5, 2004
Messages
1,037
What I really don't understand is this part:

Those memory chunks are usually useless but could contain private information likes names, passwords etc. Anything saved to memory could get dumped into an Access database

So Access database #1 is writing data to memory and not cleaning up, so someone who's hacked the computer can grab that data and write it to Access database #2? I can't understand any other interpretation of this, which leaves me with my question that however the hacker got control of the computer, they can probably hack a whole lot more than the blocks of leaked memory, especially if the data is in Access in the first place. Most databases are NOT secure and even if they are, they are probably easier to bust than the leaked memory blocks.
 

Users who are viewing this thread

Top Bottom