| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: ODBC Security Terminated By Microsoft
Daniel,
As one of the Program Managers at Microsoft for ODBC, I would like to respond to the points you presented in your posting.
First, to say that we have knowingly compromised security is being a bit sensationalistic. The tools to do exactly what the trace DLL is doing have been around for many years. Some, like Dr. DeeBee Spy, are distributed with Intersolv's ODBC driver pack, and available to a large number of people. I have seen samples of code that can trace calls to DB-Library and OCI available through public forums. These are nothing new. Experienced computer security managers should be well aware of these kinds of potential risks.
I don't think anyone would disagree that any machine that someone can gain physical access to is a machine at risk. With or without ODBC installed. Any nefarious person who has physical access to a machine, they can take data, install remote debugging components, install programs or replace components to give him access to whatever he wants.
However, I cannot understand how having the ODBC Trace DLL installed on a machine will allow someone to gain network or internet access to the machine. The Trace DLL records the sequence of ODBC calls made by an application to a file. It does not give anyone magical access to a computer. I am very interested in the thorough testing you have done on this. If you have found something of which we were not aware, I would like to know so that it can be fixed.
Your next statement urging people to rewrite all their ODBC applications using Oracle Forms or Delphi is a little irrational, as both can use ODBC datasources. To state that companies must not allow any product using ODBC 3.0 on the premises seems to be an attempt to instigate hysteria. ODBC 3.0 does not increase or decrease security exposures any more or less than any previous version of ODBC.
Your "understanding that this has been done intentionally so that Microsoft can force its data encryption scheme on the world" is wrong. We (I, the developer, and test) put these tracing capabilities in at the request of the product support people at Microsoft and at companies all over the world who need this information to help resolve users' problems accessing data. One of the commonly reported problems is connecting. There is no conspiracy here, just a desire to help the users of our tools. Our goal in the ODBC team is to try to find better, easier, and faster ways for people to get access to data.
F. Mitchell Hughes
ODBC Program Manager, Microsoft
Daniel A. Morgan <dmorgan_at_exesolutions.com> wrote in article
<334DBFC8.2F34_at_exesolutions.com>...
> I put this information here with mixed feelings but will trust that
> those of you who visit this group are professionals who will not abuse
> this knowledge.
>
> Microsoft, in its new release of ODBC (version 3), the one being
> distributed with Office '97 has knowingly compromised security for all
> ODBC systems on machines where Microsoft's ODBC manager is installed.
> This fact is clearly stated in the help system. We have tested it
> thoroughly and determined that it is easy to read user id and password
> from any machine to which someone can gain physical access, network
> access, or internet access.
>
> If you have a database using ODBC, and you or your company need to have
> this data secure from internal and/or external exposure you MUST NOT
> allow any product on premises with the new ODBC manager or MUST rewrite
> the product to use Oracle Forms or Delphi or some other product that
> does not require ODBC.
>
> My understanding is that this has been done intentionally so that
> Microsoft can force its data encryption scheme on the world.
>
> Daniel A. Morgan
>
Received on Thu Apr 17 1997 - 00:00:00 CDT
 |
 |