chir.ag/tech [archive]

 
 
 
 
 
 
 

/tech home / projects / personal 'blog / about chir.ag

 

ARCHIVE: Stupid 'Security' Problem - MS Access in WinXP SP2

Tue. Aug 2nd 2005, 10:34am:

This issue relates solely to users of Microsoft Access databases. If you have Windows XP SP 2 and download any unsigned MDB file from the internet via http, ftp, email etc., the "intelligent" security model that is Windows XP prevents you from opening the file under any condition. You will get the following error: "Microsoft Access cannot open this file. This file is located outside your intranet or on an untrusted site. Microsoft Access will not open the file due to potential security problem."

Even though the file is located on your own hard drive and not on an external network, Access thinks it's unsafe to open, nevermind the fact that you are desperately trying to get it to open because you need to get on with work. Took me a while to figure out what was going on with a business partner of ours who downloaded an Access DB locally to connect to our remote server.

Turns out, it's a very simple fix: Right-click on the MDB file icon and select 'Properties' followed by 'Unblock' - hit 'Apply' and you're all set. Access should open the file normally. Sure it works now, but through no fault of mine or our partner's, both of us wasted an hour trying to redownload the file, cleaning the cache, disabling anti-virus software, verifying IE's security level configuration etc.

Here's what all went wrong:

  1. Microsoft never announced that SP2 for WinXP will make downloading unsigned files absolutely useless. If they did, then it's probably lost in the fine-print of a thousand-page change log. This is not a minor security fix but a pretty big one - it affects the control users have on their computer.
  2. Microsoft decided that file-types like MDB are critically unsafe (and you actually need to use Microsoft's own MS Access software to create these files!) and blocked them. It's like Honda realizes their Honda CD Players are unsafe and prevents them for being played at all in every new Honda. When you install SP2, you are not told or warned that some files downloaded from the internet (http, ftp, email etc.) will be automatically tainted and blocked unless you specifically unblock them. No I did not get the memo. You just can't change things on whim.
  3. The concept of signed and unsigned files itself is absolutely flawed. Signed just means who made the file. Doesn't make a difference in protecting you. If you downloaded an MDB file from CompanyX.com then it automatically means that chose to trust 'Company X' so there really isn't a need for signing the MDB files. I'd blame the user if they downloaded a rogue MDB from WarezY.com and got infected. How about MS make it so that random MS Access MDBs downloaded from anywhere can't really do potentially dangerous stuff unless allowed by the user? "Hey this MDB file is trying to delete files in your Windows\System32 folder - Are you sure you want to allow it?"
  4. There was no MSKB article on the error mentioned above that said click the 'Unblock' button. There were two articles saying that you need to map the drives or allow certain IPs/domains to your local intranet level but neither said that Windows XP SP2 intentionally screws with MDBs.
  5. The MS Access error itself is wrong. The file is NOT in the internet, it is NOT outside my local intranet, and it is most definitely not a potential security problem! But I guess the way Windows XP Security Model works is that it blocks the file before MS Access can read it and since Access receives a 'blocked' error, it responds with the only natural error message: It was blocked because it's on the internet and hence unsafe.
Anyways, the problem is fixed now and I hope this entry helps some other troubled soul fix it too.