A "feature" in the latest version of ODBC--a database-independent API used by application and Web programmers to access a variety of data sources--has the security community in an uproar. ODBC 3.0 features a new TRACE function (used to log network activity) that automatically supplies user names and passwords. Prior versions did not do this.
"They have gutted the security," said Dan Gordon, an independent consultant. "There is no security anymore on any ODBC products."
A Microsoft official said there is a Data Definition Language (DDL) available to prevent users from uncovering passwords and user names with TRACE. This DLL has to be on the user's machine for it to work, however.
For now, the only thing you can do to fix the hole is to disable the TRACE function when deploying ODBC 3.0-compatible software