The Register® — Biting the hand that feeds IT

Feeds

Rare bug blights Lotus Notes

1-2-3 hack risk

Customer Success Testimonial: Recovery is Everything

Security researchers have discovered a rare, and potentially serious, security bug in Lotus Notes. A buffer overflow flaw in IBM's groupware package enables hackers to trick users into running hostile code on vulnerable systems.

The security bug stems from boundary errors within the Lotus 1-2-3 file viewer (l123sr.dll) component. Successful exploitation of the bug involves tricking users into viewing maliciously crafted Lotus 1-2-3 attachments, designed to allow the execution of arbitrary code on vulnerable systems.

The flaws, discovered by security researchers with Core Security, affect versions 7.x and 8.x of Lotus Notes. Other versions may also be affected.

Sys admins are advised to contact IBM support for patches, as explained here. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Latest Comments

Lotus Notes - sucks?

Certainly Notes is a unique beast, I'll give it that. But the Domino server runs on almost anything - from Windows through linux to AS/400, Solaris, etc. So it can fit into most roadmaps without too much trouble.

The client.....let's not underestimate how much of a hog Outlook can be too, especially with the cludge setting to use Word as the mail editor...!!

To the person suffering CTRL-A and having to deselect manually - Edit - Deselect All. It's an educational problem (as are many things).

To those wanting POP or IMAP, you mean you want secure POP and IMAP?! The Domino server can offer this too, of course. My Domino server sits with 1352 open to the internet and forces all sessions to encrypt network traffic (that is, once you've authenticated successfully). At the same time, I can use SSL to get to webmail to send and receive emails - all pretty much out of the box.

The Notes client is so unpopular, what with only 120 million seats out there (allegedly) that it's not targetted by the kiddies. Of course a badly-implemented installation with no antivirus, antispam and so-on (especially at the perimeter) can be a liability - but you can't blame Lotus Domino for that.

We have over 100'000 Notesmail users and our solution for this problem is simple; delete the offending DLL from the package and remove it from PCs.

Lotus Notes sucks? Yes, sometimes. But on the whole, it does many, many things very, very well....

0
0
Anonymous Coward

Back to the original topic

The security flaw is in Autonomy's Key View software. This is a 3rd party tool that ships with the Lotus Notes clients. It's the "view attachment" feature in Lotus Notes. Other companies, like Symantec and Oracle, also include the Key View software and have the same security flaw.

0
0

Another Notes detester

We were forced to switch to Notes 6.5 in my company, which has offices all over the world. We are set up so that all mail is stored on a central server. When checking for new mail, it is S.L.O.W. I don't use if for anything else. For a Calendar, I use Mozilla's Sunbird. I could not figure out how to get Notes to do what Sunbird does for me. I wish we were allowed to use Thunderbird at work. I should note that I work with a Windows 98 box with 120 meg of memory, which doesn't help.

My biggest beef with the centralized Notes, a few days ago, one of the offices opened an email that had a virus. Since then, none of us have been able to check our email at work.

Give me a stand alone Pop3 or Imap email client any day.

0
0

More from The Register

 breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
 breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
 breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
Critical Java SE update due Tuesday fixes 40 flaws
And yes, most are remotely exploitable
NSA accused of new crimes ... against slideware
They may take our information but they cannot take our REFINED AESTHETICS