Jet Expression Can Execute Unsafe Visual Basic for Applications Functions

This article was previously published under Q239104
This article has been archived. It is offered "as is" and will no longer be updated.
Moderate: Requires basic macro, coding, and interoperability skills.

Symptoms
Using Jet 3.5x, a user can call unsafe Visual Basic for Applications functions in query statements from all types of Jet applications, such as ODBC or Access. For example, the following statement would result in all files being deleted from a computer's current folder:

SELECT Shell("Cmd /c del *.*") As c1 From Customers
NOTE: The Shell command in this example works in Microsoft Windows NT. The command would have to be modified as follows to work on a computer running Microsoft Windows 95/98:
SELECT Shell("Command.com /c del *.*") As c1 From Customers
The security risk occurs when expressions contain Visual Basic for Application commands that can be harmful to a computer running the query, for example, Shell commands to delete files or format the computer.
Cause
Jet queries can contain Visual Basic for Applications expressions. These are evaluated during query execution, a behavior that is desirable in many circumstances. However, if part of the query contains the Shell command, it is parsed and executed on the computer.

You can block such operations, which is called "Sandbox mode." However, by default in Microsoft Jet 3.5x, Sandbox mode is not enabled for any applications that can issue Visual Basic for Applications commands.
Resolution
In order to enable Sandbox mode, you must first install the Microsoft Jet 3.5 SP3 update. After installing this update, the next time that you run Jet, a new registry key is added to the registry. You can use this new registry key to prevent this type of security risk. The following is the registry key that is added:
   \\HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\3.5\engines\SandboxMode				
For additional information about how to obtain the Microsoft Jet 3.5 SP3 update, please click the article number below to view the article in the Microsoft Knowledge Base:
172733 Updated Version of Microsoft Jet 3.5 Available on MSL
To make your system more resistant to malicious attacks while at the same time making it possible for older applications to keep running, the operation of the Sandbox box mode has changed in the Jet update so that it is fully under your control.

You can set the key to the following values, with 0 (zero) being most permissive and 3 being least permissive:

SettingDescription
0Sandbox mode is disabled at all times.
1Sandbox mode is used for Access applications, but not for non-Access Applications.
2Sandbox mode is used for non-Access applications, but not for Access Applications. (This is the default value.)
3Sandbox mode is used at all times.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
More information
With Sandbox mode enabled, if you try to use Visual Basic for Applications functions in a Jet query that are not considered safe, you receive the following error message:
JET_errExprUnknownFunction

Sandbox Mode Operations Allowed

The following is a list of functions that you can use in Jet queries when Sandbox mode is enabled. Any functions that do not appear in the list are not available in Sandbox mode.

ABSarrayASCASCBASCWATN
CBOOLCBYTECCURCDATECDBLchoose
CHRCHR$CHRBCHRB$CHRWCHRW$
CINTCLNGCOSCSNGCSTRCVAR
CvDateCVErrdateDATE$DATEADDdateDiff
datePartDATESERIALDATEVALUEdayDDBerror
error$EXPfixformatformat$fv
hexhex$HOURIIFIMEStatusinStr
INTIPMTIRRisDateisEmptyISERROR
isNullisNumericisObjectlCaselCase$LEFT
LEFT$LEFTBLEFTB$LENLENBLOG
lTrimlTrim$MIDMID$MIDBMIDB$
MINUTEMIRRMONTHNOWNPERNPV
octoct$partitionPMTPPMTPV
QBColorRATERGBRIGHTRIGHT$RIGHTB
RIGHTB$rndroundrTrimrTrim$SECOND
sgnSINSLNspacespace$sqr
strstr$strCompstrConvstringstring$
switchSYDTANTIMETIME$timer
timeSerialTIMEVALUETRIMTRIM$typeNameuCase
uCase$valvarTypeWEEKDAYYEAR
pra
Properties

Article ID: 239104 - Last Review: 10/26/2013 06:42:00 - Revision: 5.0

Microsoft Access 97 Standard Edition, Microsoft Office 97 Professional Edition

  • kbnosurvey kbarchive kbbug kbpending KB239104
Feedback
ERROR: at System.Diagnostics.Process.Kill() at Microsoft.Support.SEOInfrastructureService.PhantomJS.PhantomJSRunner.WaitForExit(Process process, Int32 waitTime, StringBuilder dataBuilder, Boolean isTotalProcessTimeout)