IBM fixes four flaws in Notes e-mail, Domino server

The most serious, an IMAP bug, could be used to hijack client or server

IBM patched four vulnerabilities in its Notes and Domino e-mail software to plug holes that could be used to access information or infect systems with malicious code.

Collectively ranked as "moderately critical" by Danish bug tracker Secunia ApS, the four vulnerabilities involve Notes' IMAP service; its scripting language, LotusScript; the Domino server's command console; and how both Notes and Domino map memory in Windows when they're used in a shared environment such as Citrix.

"Lotus Domino is prone to a vulnerability that may allow attackers to access other users' sessions," said Symantec in a advisory posted mid-week. A Symantec researcher, Ollie Whitehouse, was credited with reporting the memory mapping bug to IBM.

"If the Lotus Notes client is used in a Microsoft Terminal Services or Citrix environment, users can read each other's Lotus Notes session data, including items such as e-mail," the Symantec advisory said. "This vulnerability could also be used to write to the memory mapped files, [allowing] an attacker to potentially inject active content such as Lotus Script."

Rated slightly higher on the threat scoring system that IBM applies to bugs, however, was the IMAP vulnerability, credited to iDefense Labs, a security intelligence firm owned by VeriSign.

Attackers could exploit the IMAP (Internet Message Access Protocol) bug to cause a buffer overflow, which would then allow them to execute malicious code remotely. "Under Windows, the privileges gained are, by default, that of the SYSTEM user," said iDefense in a warning posted mid-week. "This allows an attacker to take complete control of the compromised system."

The caveat: Attackers must have valid logon credentials for the IMAP service. Those, however, could be obtained in a phishing attack; alternately, a disgruntled employee with access to IMAP could launch an attack.

IBM issued security bulletins for each vulnerability, and provided links to updates to versions 7.0.3 and 8.0.that patch the problems. The updates can also be downloaded from the Lotus Upgrade Central Web site.

Join the PC World newsletter!

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?