Patch Available for Lotus Notes Security Flaw
December 4, 2007 Alex Woodie
IBM is helping to distribute a patch for a security vulnerability discovered in a Lotus Notes file viewer that could allow an attacker to take full control of an affected computer. IBM says the flaw, which was disclosed last week by Core Security Technologies, only affects the Lotus Notes client, and not the Domino server. A patch is available for Notes version 7 and 8.
Sebastián Muñiz from the Core Impact Exploit Writers Team (EWT) at CorernSecurity Technologies is credited with discovering a buffer overflow vulnerability in a third-party file viewer that’s used to open Lotus 1-2-3 e-mail attachments. According to Core, the vulnerability in the Lotus WorkSheet file processor, which is developed by the software company Autonomy and which IBM distributes as a component of Notes, could allow an attacker to execute arbitrary code when they get a victim to open a corrupt Lotus 1-2-3 file sent as an e-mail attachment.
IBM and Autonomy were alerted to the flaw, and worked together to develop a patch for Notes versions 7 and 8. Notes customers are encouraged to contact IBM to obtain the patch, according to IBM’s Technote on the problem.
The problem also affects Notes versions 5 and 6. In lieu of a patch, users are encouraged to work around the flaw by disabling the Autonomy file viewer. Instructions on how to do this are available in the IBM Technote.
The flaw represents a severe threat to organizations that use Lotus Notes for e-mail, says Core Security CTO Ivan Arce. “The discovery of this vulnerability in the Lotus Notes client underlines, once again, that securing endpoint systems and the applications that run on them is critical,” he says, “and that no vendor is immune to the perils of client application security.”