Article

IBM Lotus Notes critical flaw affects file viewing

SearchSecurity.com Staff

A researcher has discovered a critical vulnerability in IBM Lotus Notes, which could be exploited by attackers remotely to cause a buffer overflow and gain access to a victim's machine.

The flaw is in the way the Lotus 1-2-3 email client processes a .123 file with its file viewer. An attacker can exploit the flaw to crash the application or trick a user into double clicking and viewing a specially crafted attachment, according to

Requires Free Membership to View

an advisory issued Tuesday by the French Security Incident Response Team(FrSIRT).

Lotus Notes version 7.x is affected and possibly versions 8.x and 6.5.6 as well as other software packages using Verity KeyView SDK.

FrSIRT rated the vulnerability "critical" since it could be exploited both remotely and locally. Danish vulnerability clearinghouse Secunia labeled the threat "highly critical" in its Secunia SA27836 advisory.

Sebastián Muñiz, a research engineer and exploit writer with Core Security is credited with discovering the flaw. In an advisory issued by Core, Muniz said successful exploitation requires end-user interaction, but it could be easy to trick an end-user with a simple .jpg or .gif file.

"Although these specific vulnerabilities exist on a third–party component the problem is compound by the way Lotus Notes displays information about attachments, making it easier to elicit unsuspecting assistance from the users to exploit them," he said.

IBM has issued a patch for the flaw. Core said Lotus users have several workarounds to prevent end-users from viewing the files. The keyview.ini file can be deleted in the Notes program directory to disable all viewers.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: