News Stay informed about the latest enterprise technology news and product updates.

Critical Lotus Notes flaws discovered

Security researchers have discovered multiple flaws in some file attachment viewers in IBM Lotus notes that could be exploited by an attacker to access to sensitive information.

Errors in some third party file attachment viewers connected to IBM Lotus Notes can be exploited by an attacker...

to bypass some security programs and gain access to sensitive information.

IBM issued a technote advisory, warning users of the problems and advising users of workarounds and updates. Version 7.0.3 or 8.0 of Lotus Notes repairs some of the flaws.

"To successfully exploit these vulnerabilities, an attacker would need to send a specially crafted file attachment to users, and the users would then have to double-click and view the attachment," IBM said.

Danish vulnerability clearinghouse Secunia labeled the threat "highly critical" in its Secunia SA27279 advisory. Secunia said the holes could be remotely "exploited by malicious, local users to gain knowledge of potentially sensitive information and by malicious people to bypass certain security mechanisms or compromise a user's system."

In addition, a boundary error when parsing HTML messages in nnotes.dll can be exploited to cause a buffer overflow when a user replies, forwards or copies a malicious HTML message, Secunia said.

Security researcher Tan Chew Keong is credited with discovering some of the vulnerabilities. Keong said in a posting at that multiple exploitable buffer overflow vulnerabilities were found within a file attachment viewer in Lotus Notes.

"The vulnerabilities can be exploited to execute arbitrary code by tricking the user to view a malicious DOC, SAM, WPD, or MIF file attachment using the file attachment viewer in Lotus Notes," Keong said.

Also credited with the discovery were ZDI, VeriSign iDefense Labs, Ed Schaller, Ollie Whitehouse of Symantec, Dan Ritter and the VCC.

Dig Deeper on Productivity apps and messaging security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.