Jet 4.0 Text IISAM Allows Users to Append Lines to System Files

Article translations Article translations
Article ID: 239471 - View products that this article applies to.
This article was previously published under Q239471
This article has been archived. It is offered "as is" and will no longer be updated.
Novice: Requires knowledge of the user interface on single-user computers.

This article applies only to a Microsoft Access database (.mdb).

Expand all | Collapse all

SYMPTOMS

The Text IISAM allows you to manipulate text files without checking the file name extension. This creates a potential security risk because it can be used to read or write to a system text file.

CAUSE

The Text IISAM is able to modify the contents of text files that are formatted as data tables. This feature makes it easy for you to exchange data on different systems.

RESOLUTION

This problem has been fixed in the latest edition of the Jet Service Pack. The following registry key is dynamically added when a program loads the Text IISAM. This registry key prevents this type of security risk:
HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\4.0\Engines\Text\DisabledExtensions
For additional information about how to obtain the latest version of the Jet 4.0 database engine, click the following article number to view the article in the Microsoft Knowledge Base:
239114 How To: Obtain the Latest Service Pack for the Microsoft Jet 4.0 Database Engine

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

NOTE: Jet40SP3.exe was updated on October 11, 1999. If you previously installed this update and would like to use the stricter security control provided in the updated Mstext40.dll, run the installed Mstext40.reg file. To run the Mstext40.reg file, locate the file on your system and double-click it.

There could be a possible security risk when someone uses the Text IISAM to modify any of the system text files, such as Autoexec.bat, Config.sys, System.ini, and so on.

After you install the updated version of Jet, you will only be able to use the Text IISAM to update text files with the following extensions:
  • txt
  • csv
  • tab
  • asc
  • htm
  • html
These are the default extensions that are added to the registry key listed in the "Resolution" section. The Value data for the registry key is:
!txt,csv,tab,asc,htm,html
In the first release of Jet 4.0 SP3, you were not be able to use the Text IISAM to update text files with the following extensions:
  • bat
  • cmd
  • ini
  • sys
  • inf
  • vbs
  • js
These are the default extensions that were added to the registry key listed in the "Resolution" section with the first release of Jet 4.0 SP3. The Value data for the registry key was:
bat,cmd,ini,sys,inf,vbs,js
NOTE: The first release of Jet 4.0 SP3 did not provide the use of an exclamation mark (!). When you place an exclamation mark at the beginning of the Value data, you can modify only files with the extensions listed. When you do not place an exclamation mark at the beginning of the Value data, you cannot modify files with the extension listed. With the Jet 4.0 Text IISAM, you cannot set the registry key to an empty string. Therefore, if you do not want to block access to any system text files, you should set the registry key to a binary file name extension. For example, you can use .exe.

NOTE: Microsoft Access users may receive the following error when trying to import a text file that is not one of the enabled extensions:
Can't Update. Database is read-only.
To resolve the error, either rename the file extension to one of the enabled extension types or modify the DisabledExtensions registry key using the methods in this article.

Properties

Article ID: 239471 - Last Review: February 28, 2014 - Revision: 3.1
APPLIES TO
  • Microsoft Access 2000 Standard Edition
  • Microsoft Open Database Connectivity Driver for Access 4.0
Keywords: 
kbnosurvey kbarchive kbbug kbpending KB239471

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com