Core Security Technologies Discovers Vulnerabilty in IBM's Lotus Notes.Users Vulnerable to Attack When Viewing Corrupt Lotus 1-2-3 File Attachments BOSTON -- Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing, today issued an advisory disclosing several vulnerabilities that could severely impact the thousands of organizations using IBM Lotus Notes Lotus Notes is a client-server, collaborative application owned by IBM Software Group. IBM defines the software as an "integrated desktop client option for accessing business e-mail, calendars and applications on [an] IBM Lotus Domino server."[1]. . The buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. vulnerabilities affect the groupware application and the ability to elicit users to open corrupt email attachments. The email functionality of Lotus Notes Messaging and groupware software from IBM Lotus that was introduced in 1989 for OS/2 and later expanded to Windows, Mac, Unix, NetWare, AS/400 and S/390. Notes provides e-mail, document sharing, workflow, group discussions and calendaring and scheduling. supports previewing and processing file attachments in various formats. A researcher from CoreLabs, the research arm of Core Security, discovered that by exploiting vulnerabilities in the Lotus WorkSheet file processor, an attacker could leverage a specially crafted Lotus 1-2-3 email attachment to remotely execute arbitrary commands and compromise vulnerable systems when users "view" the attachment. "This is a severe threat to organizations that use Lotus Notes for corporate email communications," said Ivan Arce, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. at Core Security Technologies. "The discovery of this vulnerability in the Lotus Notes client underlines, once again, that securing endpoint systems and the applications that run on them is critical and that no vendor is immune to the perils of client application security. Vulnerable organizations should be prepared to quickly deploy the appropriate fixes and workarounds and users of the Lotus Notes client should use caution when presented with unknown file attachments, especially those from unfamiliar senders." Vulnerability Specifics: CoreLabs discovered several buffer overflow vulnerabilities in the third-party library from software vendor Autonomy. To preview and process files in the Lotus Worksheet File format (WKS Lotus 1-2-3, Version 1A file extension. ) used by Lotus 1-2-3, the Lotus Notes email client See e-mail program. uses Autonomy's Verity KeyView SDK (Software Developer's Kit) See developer's toolkit and Windows SDK. SDK - Software Developers Kit (or "Software Development Kit"). . As tested, the vulnerabilities affect Lotus Notes Version 7, but Core Security cautions that the problem may also affect other applications using Verity KeyView SDK. Although the exploitation of these vulnerabilities requires user intervention and the vulnerability is present on a third-party component, the problem is compounded by the way Lotus Notes displays information about attachments, which makes it easier to elicit assistance from unsuspecting users. Some particular characteristics of the Lotus Notes client could allow an attacker to send a malicious Lotus 1-2-3 file as an attachment with a seemingly innocuous file name and extension (for example, .JPG See JPEG. jpg - JPEG or .GIF GIF in full Graphics Interchange Format Standard computer file format for graphic images. GIF files use data compression to reduce the file size. The original version of the format was developed by CompuServe in 1987. ) that could more easily lure users into viewing the file. IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) has acknowledged this security problem and made a fix available for the l123sr.dll. IBM recommends that customers follow the instructions in their technote, which outlines the options customers have based on their current version of Lotus Notes. The technote can be found at: http://www.ibm.com/support/docview.wss?rs=475&uid=swg21285600. To protect against potential attacks, Core Security recommends that users immediately implement one of the following measures: * Workaround (jargon, programming) workaround - A temporary kluge used to bypass, mask or otherwise avoid a bug or misfeature in some system. Customers often find themselves living with workarounds for long periods of time rather than getting a bug fix. 1: Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file." * Workaround 2: Delete the problem file (l123sr.dll). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. Additional workarounds can be found in the detailed advisory. For more information on this vulnerability and the systems affected, please visit: http://www.coresecurity.com/index.php5?module= ContentMod&action=item&id=2008 (Due to the length of this URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. , it may be necessary to copy and paste To copy files from one location to another or to copy text and images from one document to another. All modern operating systems and applications have a copy and paste capability that is typically selected from an Edit menu. See cut and paste and Win Copy between windows. it into your Internet browser's URL address field. You may also need to remove an extra space in the URL if one exists.) About CoreLabs CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. , identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. About Core Security Technologies Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their IT infrastructure. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates servers, desktop systems, end users and web applications by identifying what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion