Article

Critical Lotus Notes flaws discovered

SearchSecurity.com Staff

Errors in some third party file attachment viewers connected to IBM Lotus Notes can be exploited by an attacker to bypass some security programs and gain access to sensitive information.

IBM issued a technote advisory,

    Requires Free Membership to View

warning users of the problems and advising users of workarounds and updates. Version 7.0.3 or 8.0 of Lotus Notes repairs some of the flaws.

"To successfully exploit these vulnerabilities, an attacker would need to send a specially crafted file attachment to users, and the users would then have to double-click and view the attachment," IBM said.

Danish vulnerability clearinghouse Secunia labeled the threat "highly critical" in its Secunia SA27279 advisory. Secunia said the holes could be remotely "exploited by malicious, local users to gain knowledge of potentially sensitive information and by malicious people to bypass certain security mechanisms or compromise a user's system."

In addition, a boundary error when parsing HTML messages in nnotes.dll can be exploited to cause a buffer overflow when a user replies, forwards or copies a malicious HTML message, Secunia said.

Security researcher Tan Chew Keong is credited with discovering some of the vulnerabilities. Keong said in a posting at insecure.org that multiple exploitable buffer overflow vulnerabilities were found within a file attachment viewer in Lotus Notes.

"The vulnerabilities can be exploited to execute arbitrary code by tricking the user to view a malicious DOC, SAM, WPD, or MIF file attachment using the file attachment viewer in Lotus Notes," Keong said.

Also credited with the discovery were ZDI, VeriSign iDefense Labs, Ed Schaller, Ollie Whitehouse of Symantec, Dan Ritter and the VCC.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: