Microsoft Access Known Database Attack

1997-07-09T00:00:00
ID OSVDB:2917
Type osvdb
Reporter OSVDB
Modified 1997-07-09T00:00:00

Description

Vulnerability Description

Microsoft Access has a flaw in the encryption used to protect databases. The RC4 based encryption uses the same key for both encryption and decryption with no password/phrase. By creating a database equal in size as the target database, an attacker can use the XOR'd key stream from the newly created database to decrypt the target database.

Solution Description

Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Microsoft Access has a flaw in the encryption used to protect databases. The RC4 based encryption uses the same key for both encryption and decryption with no password/phrase. By creating a database equal in size as the target database, an attacker can use the XOR'd key stream from the newly created database to decrypt the target database.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1997_3/0049.html