Access 97 'enabled' MDE databases are vulnerable!

        22 votes: *****      5,104 views      0 comments
by Wayne Phillips, 25 October 2006    (Access 97+)

We recently had a situation where a client approached us for a conversion of an Access 97 MDE file back to MDB format.  Our initial observations on this file were quite startling because we were able to recover the VBA source code in its entirety, without any reverse engineering at all.

Further investigation into this particular MDE application revealed that the file was actually what Microsoft call an Access 2000 'enabled' database.  An Access 2000 (or above***) enabled database is basically an Access 97 format MDB application that has been opened in Access 2000 - Access 2000 creates a duplicate copy of every Access-object in the database (forms, reports, modules etc) - including VBA source code and stores it in it's own native format within the file.

*** An 'enabled' database is created by all versions of Access from 2000 onwards when you choose to open the Access 97 format database rather than convert it.  This article applies to Access 97 MDB databases that have been opened in any version of Access from 2000 onwards prior to being converted to MDE format.

The problem with this 'dual-storage' approach only becomes apparent when you convert the Access 97/2000 'enabled' application to MDE format.  You guessed it - the duplicate Access 2000 copies of the forms, reports and VBA modules are left perfectly intact during this process.  Fortunately Access 2000 will no longer open the file since it won't even try to open an Access 97 MDE file, however all the original VBA source code is available by using any good recovery software (including our own).

Fortunately there is an easy fix for this, and that is to delete the MSysAccessObjects and/or MSysAccessStorage system tables from your MDE file - these tables are where Access 2000 and Access 2002+ stores the forms, reports and modules (amongst other things) - it is perfectly safe to delete these tables from your Access 97 MDE file in this instance, and will completely remove this vulnerability.

Conclusion

As a developer, when delivering an Access 97 MDE, ensure that neither of the two system tables MSysAccessObjects nor MSysAccessStorage exist in your file.  They will *never* be needed in an Access 97 MDE, so delete them in order to protect your VBA code.

Tip: You will need to turn on the visibility of system tables in the Tools / Options / View window in order to check these tables don't exist.

 

Wayne Phillips, October 2006
http://www.everythingaccess.com

Rate this article:   Your rating: Poor Your rating: Not so good Your rating: Average Your rating: Good Your rating: Excellent



Have your say - comment on this article.

What did you think of 'Access 97 'enabled' MDE databases are vulnerable!'?

No comments yet.

Why not be the first to comment on this article?!

Have your say...

Name
E-mail (e-mail address will be kept private)
Comments
Verify Code
Verification Code


It may take 30 seconds after clicking submit - please be patient to avoid duplicate submissions.  

All comments must be approved before being displayed on this web page.  This process may take up to 24 hours.