I just wish these "security" companies would work with the company whose code they found problems with. 24 hours is not enough time, especially for a company like MS which probably recieves hundreds or thousands of "possible security problems" every day. Most are nothing but they still have to weed through them to find the real ones.

Gosh I really feel for the multi-billion dollar corporation. Poor, poor MS that has to look into every wittle itty bitty security bug. The violins are exploding they are playing so loud.

Tough.

-Security is not about "giving a break."
-The vuln was public before secunia published. Why isn't praise being given to them since Microsoft didn't feel obligated to announce it to the world. It's always "We'll look into it and give you a patch 29 days to 6 months from now."

Don't feel for MS at all, I don't care. Instead, feel for the hundreds of millions of people out there that could be affected by this. Sure, Access doesn't have the largest install base in the world (although its more than some people think) but any exploit that allows arbitrary code to run means you have the potential to make a zombie machine.

just like you guys to announce "vulnerabilities" (whether a true flaw in the OS or simply a hidden means to catch malicious code) to the public rather than actually work with Microsoft to fix the problem. 'Sides, "Highly Critical" should refer to things that are just that, and while the number may be great, how many people use Windows XP with MS Access 2003 who even connect to the web? Fewer than you'd think, especially since Access 2003 only comes with the Enterprise Office version. I think of RPC vulnerability, LSASS.exe vulnerability, and the email malformed header vulnerability (whatever it's called) as highly critical--this one's moderately critical AT BEST.

I agree with you about the disclosure timing (but Secunity is really just re-publishing HexView's advisory). HexView states that Microsoft was notified on March 30 and HexView's advisory is dated March 31. Wow, they gave Microsoft ONE DAY.

Unfortunately, the vulnerability is in the Jet engine, not actually in Access itself. The Jet engine is distributed with the OS and used by many many many MS and non-MS apps thru ODBC and OLE DB, even if Access is not installed. On the other hand, without Access installed, there is usually no file association for MDB, so you can't simply email an MDB file to some idiot who opens it. Furthermore, the MDB file extension has already been regarded as an "executable" by antivirus and content filtering products. For example, all recent versions of Outlook will block all MDB attachments by default.

Agree with you, the point is the vulnerability with MSJET only occurrs if it is an .mdb file in Access 2003 format. Without MS access, how can the macro utilize the vulnerability?

Because it's not an Access macro, and doesn't require Access 2003 format. Read the original advisory. It's basically an invalid mdb format which takes advantage of a weakness in Jet's error handling, conceptually very similar to buffer overflow exploits.

How long will it take to fix this problem, or will they?!