Microsoft Data Access Components - History

History

Microsoft has released several versions of MDAC over time. The distribution method has varied and the feature-set is different for each version.

MDAC 1.0

MDAC 1.0 was first released in August 1996. According to Microsoft, "MDAC 1.0 existed more as concept than a coordinated, stand-alone setup program." The MDAC 1.0 stack consisted of ODBC 3.0, OLE DB 1.1, ADO 1.0, and the Advanced Data Connector (ADC) 1.0 — which according to Microsoft was the precursor to the Remote Data Service of MDAC 1.5. It also included ODBC drivers for Access/Jet, SQL Server and Oracle databases. MDAC 1.0 was released via several mechanisms: the Advanced Data Connector shipped with Internet Information Server (IIS) 3.0 and as a downloadable cab file; OLE DB 1.1 and ADO 1.0 shipped with the OLE DB 1.1 SDK, which came with Visual Studio 97 and was also downloadable. MDAC 1.0 came with Active Server Pages, that itself came in IIS 3.0, and also came with Visual InterDev 1.0.

MDAC 1.5

MDAC 1.5 was released between September 1997 and March 1998, and involved a more centralised distribution mechanism than MDAC 1.0. It was released with Microsoft Internet Explorer 4.0, the Internet Client SDK 4.0 and through a CD-ROM given out at the 1997 Professional Developers Conference (PDC). There were five versions of MDAC 1.5:

• MDAC 1.5 (initial release): included with Internet Explorer 4.0 and the Internet Client SDK.
• MDAC 1.5a: downloadable from Microsoft's website
• MDAC 1.5b: came with Windows NT 4.0 Option Pack & Office 97
• MDAC 1.5c: fixed issues with ADO threading and ODBC Connection Pooling and was distributed via the Microsoft website. It only came with the ADO/MDAC runtime components.
• MDAC 1.5d: came included with Windows 98 and Internet Explorer 4.01 service pack 1.

The different versions of MDAC 1.5 consisted of:

• ODBC 3.5
• OLE DB 1.5
• ADO 1.5
• Remote Data Service 1.5, which superseded the Advanced Data Connector.

This version of MDAC had a security flaw that made it vulnerable to an escalated privileges attack. The vulnerability caused systems that had both IIS and MDAC installed to give an unauthorized web user the ability to execute shell commands on the IIS system as a privileged user. This allowed the attacker to use MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network when on a multi-homed Internet-connected IIS system. It also allowed the user to gain unauthorized access to secured, non-published files on the IIS system

MDAC 1.5 was the last data access component release supported under Windows NT 3.51 SP5.

MDAC 2.0

MDAC 2.0 was distributed with the Data Access 2.0 SDK and included the contents of MDAC 1.5, the ODBC 3.5 SDK and the OLE DB 1.5 SDK, and the OLE DB for OLAP Specification. It also had included many updates to the core product, including a security feature added to the RDS which prevented it from being used maliciously an IIS server. This version came included in Windows NT 4.0 SP4, and also with Visual Studio 6.0, which came with the full Data Access SDK.

MDAC 2.1

MDAC 2.1 was distributed with SQL Server 7.0 and SQL Server 6.5 SP5. MDAC 2.1 SP1 was distributed with Internet Explorer 5 and MDAC 2.1 SP1a (GA) was distributed with Microsoft Office 2000, BackOffice 4.5 and Visual Studio 98 SP3. However, none of these versions of MDAC were released to the general public via the world wide web. MDAC 2.1 SP2 was distributed from Microsoft's website. The components that were included with 2.1 were:

• ADO 2.1
• RDS 2.1
• OLE DB 2.1
• the OLE DB Provider for ODBC, SQL Server and Oracle
• JRO 2.1
• a Jet driver
• RDO.

This version had security vulnerabilities whereby an unchecked buffer could allow an elevated privileges attack. This was found some time later and it affected MDAC 2.1, 2.5 and 2.6 and was addressed in a later patch

MDAC 2.5

MDAC 2.5 was released on February 17, 2000 and distributed with Windows 2000, and the MDAC service packs were released in parallel with the Windows 2000 service packs. They were also distributed through Microsoft's website. Three service packs were released. The components included with 2.5 were:

• ADO 2.5
• ADO MD 2.5
• ADOX 2.5
• RDS 2.5
• OLE DB 2.5
• many OLE DB Providers
• JRO 2.5
• ODBC 3.51
• many ODBC drivers
• many Jet drivers.

Several issues were found in this version of MDAC. When using OLE DB Session Pooling, Microsoft COM+ would try to continuously load and unload OLE DB, and a conflict could arise that caused the OLE DB Session Pooling to run at 100% CPU usage. This was later fixed. Microsoft published a full list of bugs fixed in MDAC 2.5 Service Pack 2 and MDAC 2.5 Service Pack 3. A security vulnerability also existed (later fixed) whereby an unchecked buffer in was found in the SQL Server Driver. This flaw was introduced in MDAC 2.5 SP2.

MDAC 2.6

MDAC 2.6 was released in September 2000 and was distributed through the web and with Microsoft SQL Server 2000 MDAC 2.6 RTM, SP1 (released June 20, 2001), and SP2 (released June 11, 2002) were distributed in parallel with the Microsoft SQL Server 2000 service packs, and could also be downloaded from the Microsoft website.

Beginning with this version of MDAC, Microsoft Jet, Microsoft Jet OLE DB Provider, and the ODBC Desktop Database Drivers were not included. Instead, these could be installed manually. Microsoft also released an alert warning that MDAC 2.6 should not be installed on an SQL Server 7.0 Cluster, because "if you install MDAC 2.6 or later on any node in the cluster, directly or through the installation of another program, it may cause a catastrophic failure of the SQL Server Agent or other SQL Server services." This issue affected Veritas Software's Backup Exec 9.0 for Windows Servers, because it installs Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) as its database. Revision 4367 installed MDAC version 2.6 SP2 while revision 4454 installed MDAC version 2.7 SP1, which did not have the problem

MDAC 2.7

MDAC 2.7 was released in October 2001 through Microsoft's website. A refresh release was issued in April 2002 through the release of Windows XP and through Microsoft's website. Version 2.7 was available in U.S. English, Chinese (Traditional and Simplified), German, Japanese, Korean, Brazilian Portuguese, Czech, Danish, Greek, Slovak, Slovenian, Spanish, Finnish, French, Hungarian, Italian, Dutch, Norwegian, Polish, Portuguese, Russian, Swedish, and Turkish. Hebrew and Arabic were only available through Windows XP.

The main feature change was support for Microsoft's 64-bit operating system, however support for Banyan VINES was also dropped from this version of MDAC. There were several known issues: MDAC 2.7 continued causing connectivity problems on clustered servers running Microsoft SQL Server 6.5 or SQL Server 7.0, with no workaround provided by Microsoft. When creating or configuring ODBC data source names (DSNs) using the Microsoft SQL Server ODBC driver the network library protocol might unexpectedly switch to TCP/IP, even if the DSN was configured to use named pipes. This issue was found by InfoWorld reporter Randall C. Kennedy, who identified that the change was actually made in MDAC 2.6 but was never documented. It was discovered when testing client/server database workloads on a Windows XP computer; InfoWorld claims that although overall server CPU utilization rose by only 8 percent using TCP/IP, context switches per second dropped by more than 150 percent (which is of course impossible because you would then have a negative context switch rate - the drop is either 33% or 60% depending on which planet the author was on at the time of writing) for a 10-user workload. They were unimpressed that a fundamental functional change to the default behaviour of Net-Lib occurred without more than a passing mention in an unrelated document. Windows XP users also sometimes experienced problems connecting to SQL Server because SQL Server attempts to use certificates it finds on the local computer, however if there is more than one certificate available it did not know which one to use. When attempting to use Microsoft Analysis Services 2000 RTM, an error would sometimes appear when trying to browse cubes. Microsoft also discovered a problem in Windows 95, Windows 98, and Windows Me's setup program which prevented the MDAC installation program from rolling back when it encountered an installation error.

Several security issues were resolved by Microsoft for MDAC 2.7. David Litchfield of Next Generation Security Software Ltd reported a security vulnerability that results because one of the ODBC functions in MDAC that is used to connect to data sources contained an unchecked buffer. Another vulnerability that was fixed was one whereby an attacker could respond to an SQL Server discovery message broadcast by clients with a specially crafted packet that could cause a buffer overflow. Another flaw was found whereby code could be executed remotely when the attacker responded to the broadcast with another specially crafted packet.

MDAC 2.8

MDAC 2.8 was released in August 2003 and distributed with Microsoft Windows Server 2003, as well as on Microsoft's Data Access Technologies website. It did not introduce any new features to the product but fixed a number of bugs and security issues — a reg file (automates changes to the registry) was removed that made the server run in an "unsafe" mode whereby the RDS could be exploited to gain unauthorized access to the system and a new restriction was imposed on the length of the Shape query string. There were also several ODBC Administrator changes.

On May 23, 2005 Brad Rhodes (Lead Program Manager of Microsoft Data Access Technologies) announced that MDAC 2.8 SP1 was the last stand-alone redistributable of MDAC that Microsoft will ship. MDAC is now an official component of the Microsoft's operating system, though they will be providing ongoing bug and security fixes to previously released versions of the web-distributable version. However, Microsoft have created a new component called the SQL Native Client (SQLNCLI), which is a stand alone data access API that has combined the OLE DB and ODBC libraries into one DLL. It was formed to be independent of MDAC, which is now reliant on the state the operating system is in — a developer now links to this library and avoids situations where an update of the operating system which updates MDAC breaks applications built to a different version of MDAC.

Windows 7 SP1 has broken backwards compatibility of MDAC 2.8. Software compiled on Windows 7 SP1 that relies on MDAC ADO will not work on Windows versions prior to Windows 7 SP1 (including Windows 7 RTM, Vista, XP). Microsoft has provided solutions to work around this issue for some applications but VBA applications remain affected. The fix for this issue has been release in February 2012.

Windows DAC 6.0

Windows Vista will no longer use MDAC, but instead use Windows DAC, which consists of updated versions of ADO, OLE DB, and ODBC components. According to Microsoft, "Windows DAC includes some changes to work with Windows Vista, but is almost entirely functionally equivalent to MDAC 2.8."