February 10, 2006 10:17 AM PST

IBM patches Lotus flaw

Related Stories

Lotus flaw reported--but IBM's unfazed

April 7, 2005
IBM has issued a patch for a half dozen "highly critical" security flaws in versions of its Lotus Notes, which could allow a malicious attacker to execute arbitrary code remotely when users access files through the Notes attachment viewer.

The vulnerabilities affect versions of Lotus Notes 6.5.4 and 7.0 or earlier, according to an advisory released Friday by security firm Secunia, which discovered the flaws.

"This is big problem because a very large number of corporations use Lotus Notes," said Thomas Kristensen, Secunia's chief technology officer. "When users receive an e-mail with an attachment, all they have to do is click on the attachment to read it, and their systems are vulnerable to a remote attack."

IBM issued a security update, 7.0.1, this week and 6.5.5 in December.

"Secunia contacted IBM Lotus to report five buffer overflow vulnerabilities and one directory traversal vulnerability in the KeyView viewers used in Lotus Notes," IBM said its in its security advisory. "To successfully exploit these issues, an attacker would need to send a specially crafted file attachment to users, and the users would have double click and 'view' the attachment."

One flaw, for example, occurs when checking for the existence of a compressed file in a ZIP archive. Vulnerabilities in Notes could be exploited when a user extracts a compressed file with a long file name within the Notes attachment viewer, leading to a buffer overflow and remote execution of code, according to Secunia.

Users may also find their systems exploited when using the Notes attachment viewer to open an encoded file with an overly long file name. A malicious encoded file could result in a buffer overflow and remote code execution, Kristensen said.

Lotus' attachment viewer, a built-in function of the software, allows users to view a wide range of file formats without requiring the specific application to be installed on their system to read the file.

Other vulnerabilities found in Lotus Notes include a boundary error in the HTML speed reader. When a user views a malicious HTML document, an attacker would exploit the flaw and take over a user's system that was running Lotus Notes.

See more CNET content tagged:
IBM Lotus Notes, Lotus, flaw, IBM Corp., buffer-overflow

1 comment

Join the conversation!
Add your comment
When Will IBM....
Begin the re-distribution of a fresh "brew" Lotus KONA that can go down very well with NOTES and DOMINO (SYMPHONY)! Given the good going of NOTES!

"Lotus brews potent Java with Kona":

<a class="jive-link-external" href="http://www.morochove.com/watch/cw/ff70206.htm" target="_newWindow">http://www.morochove.com/watch/cw/ff70206.htm</a>
Posted by Captain_Spock (894 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.