Rare bug blights Lotus Notes
1-2-3 hack risk
Customer Success Testimonial: Recovery is Everything
Security researchers have discovered a rare, and potentially serious, security bug in Lotus Notes. A buffer overflow flaw in IBM's groupware package enables hackers to trick users into running hostile code on vulnerable systems.
The security bug stems from boundary errors within the Lotus 1-2-3 file viewer (l123sr.dll) component. Successful exploitation of the bug involves tricking users into viewing maliciously crafted Lotus 1-2-3 attachments, designed to allow the execution of arbitrary code on vulnerable systems.
The flaws, discovered by security researchers with Core Security, affect versions 7.x and 8.x of Lotus Notes. Other versions may also be affected.
Sys admins are advised to contact IBM support for patches, as explained here. ®
COMMENTS
Lotus Notes - sucks?
Certainly Notes is a unique beast, I'll give it that. But the Domino server runs on almost anything - from Windows through linux to AS/400, Solaris, etc. So it can fit into most roadmaps without too much trouble.
The client.....let's not underestimate how much of a hog Outlook can be too, especially with the cludge setting to use Word as the mail editor...!!
To the person suffering CTRL-A and having to deselect manually - Edit - Deselect All. It's an educational problem (as are many things).
To those wanting POP or IMAP, you mean you want secure POP and IMAP?! The Domino server can offer this too, of course. My Domino server sits with 1352 open to the internet and forces all sessions to encrypt network traffic (that is, once you've authenticated successfully). At the same time, I can use SSL to get to webmail to send and receive emails - all pretty much out of the box.
The Notes client is so unpopular, what with only 120 million seats out there (allegedly) that it's not targetted by the kiddies. Of course a badly-implemented installation with no antivirus, antispam and so-on (especially at the perimeter) can be a liability - but you can't blame Lotus Domino for that.
We have over 100'000 Notesmail users and our solution for this problem is simple; delete the offending DLL from the package and remove it from PCs.
Lotus Notes sucks? Yes, sometimes. But on the whole, it does many, many things very, very well....
Back to the original topic
The security flaw is in Autonomy's Key View software. This is a 3rd party tool that ships with the Lotus Notes clients. It's the "view attachment" feature in Lotus Notes. Other companies, like Symantec and Oracle, also include the Key View software and have the same security flaw.
Another Notes detester
We were forced to switch to Notes 6.5 in my company, which has offices all over the world. We are set up so that all mail is stored on a central server. When checking for new mail, it is S.L.O.W. I don't use if for anything else. For a Calendar, I use Mozilla's Sunbird. I could not figure out how to get Notes to do what Sunbird does for me. I wish we were allowed to use Thunderbird at work. I should note that I work with a Windows 98 box with 120 meg of memory, which doesn't help.
My biggest beef with the centralized Notes, a few days ago, one of the offices opened an email that had a virus. Since then, none of us have been able to check our email at work.
Give me a stand alone Pop3 or Imap email client any day.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Customer Success Testimonial: Recovery is Everything
