Security researchers have discovered a rare, and potentially serious, security bug in Lotus Notes. A buffer overflow flaw [1] in IBM's groupware package enables hackers to trick users into running hostile code on vulnerable systems.

The security bug stems from boundary errors within the Lotus 1-2-3 file viewer (l123sr.dll) component. Successful exploitation of the bug involves tricking users into viewing maliciously crafted Lotus 1-2-3 attachments, designed to allow the execution of arbitrary code on vulnerable systems.

The flaws, discovered [2] by security researchers with Core Security, affect versions 7.x and 8.x of Lotus Notes. Other versions may also be affected.

Sys admins are advised to contact IBM support for patches, as explained here [3]. ®

Links

1. http://secunia.com/advisories/27835
2. http://www-1.ibm.com/support/docview.wss?uid=swg21285600
3. http://lists.grok.org.uk/pipermail/full-disclosure/2007-November/058680.html

Related stories

• IBM hopes open office is Symphony to your key-tapping fingers (19 September 2007)

  http://www.theregister.co.uk/2007/09/19/ibm_office_symphony_open_source/

• Lotus leaps into social networking (25 June 2007)

  http://www.theregister.co.uk/2007/06/25/lotus_connections/

• McAfee upgrade plays nasty with Lotus Notes (23 January 2007)

  http://www.theregister.co.uk/2007/01/23/mcafee_lotus_notes/

• IBM puts cash bounty on Exchange server converts (31 March 2006)

  http://www.channelregister.co.uk/2006/03/31/exchange_notes_migraiton/

• Confusion over serious Notes, Domino vulns (11 March 2003)

  http://www.theregister.co.uk/2003/03/11/confusion_over_serious_notes_domino/