Java applet flaws found in Notes

A consultant has discovered three Java applet flaws in Lotus Notes that could expose sensitive data. IBM has not yet offered fixes, but Notes users can stay secure by disabling Java applets.

A trio of newly discovered vulnerabilities in the IBM Lotus Notes R6.x client could put sensitive information on users' PCs at risk, according to the security expert who discovered the problems. Fortunately for enterprises, the details are still under wraps.

The vulnerabilities stem from unspecified errors that take place when the Notes client handles Java applets. Jouko Pynnonen, an independent security consultant based in Jyvaskyla, Finland, discovered the vulnerabilities.

In an interview with SearchDomino.com, Pynnonen declined to reveal any detailed information about the vulnerabilities, citing concerns that once malicious programmers learn about the issues, they could be exploited without much difficulty.

Even with just a small amount of information, Pynnonen said, "someone could easily get the idea of what the problem is and start exploiting it."

He did reveal that the vulnerabilities could be exploited through the sending of harmful Java applets to Notes users via e-mail, and that he originally discovered them approximately two months ago.

"It's when you open an e-mail in Notes that may contain malicious applets," Pynnonen said. Certain applets are handled in such a way that allows a hacker to access certain files on a user's hard disk, and possibly retrieve them surreptitiously via e-mail.

Pynnonen said it's unlikely that those looking to spread viruses or worms could successfully exploit the vulnerability because its scope is limited.

"It can only read some files, and it can't really do many things; it can't execute any code," Pynnonen said. "It can only read some files. So it's not so good for viruses, I don't think, but it's also possible that there could be a virus contained in that kind of exploit."

IBM posted an acknowledgment of Pynnonen's alleged findings last Friday on its Lotus Support Services Web site, but has yet to officially confirm the vulnerabilities. However, Pynnonen said IBM has already confirmed the existence of two of the vulnerabilities to him, while a third is still under investigation.

For more information

Read more about the recent Notes URL handler flaw.

 

Learn how to keep a Web app servlet from revealing sensitive information.

While an official fix is not yet available, Pynnonen said the threat could be eliminated by disabling Java applets. "I have tested it, and that is a good way to prevent it," he said.

In its acknowledgment of Pynnonen's report, IBM stated that Java applets could be disabled via the following procedure: Select File --> Preferences --> User Preferences from the Notes client menu, then uncheck Enable Java applets option.

Pynnonen said the seriousness of the vulnerabilities is on the same scale as the recent Notes URL handler flaw, which was described as moderately critical by Copenhagen, Denmark-based security consultancy Secunia.

Over the years many have considered Notes and Domino to be considerably more secure than Outlook and Exchange, the enterprise messaging software from Microsoft. Pynnonen said that more vulnerabilities have been in found in Microsoft's software because there have been more people looking for them. He said it's likely that there are a number of as-yet undiscovered security problems in Notes and Domino as well.

"This is something that's in almost every product, and I can't tell for sure how many and what kind of vulnerabilities there are, but IBM isn't an exception," Pynnonen said. "There are vulnerabilities in every product, and I think there will be some new ones discovered in Notes also."

Dig deeper on Java for Lotus Notes Domino

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.uk

Close