A trio of newly discovered vulnerabilities in the IBM Lotus Notes R6.x client could put sensitive information on...
users' PCs at risk, according to the security expert who discovered the problems. Fortunately for enterprises, the details are still under wraps.
The vulnerabilities stem from unspecified errors that take place when the Notes client handles Java applets. Jouko Pynnonen, an independent security consultant based in Jyvaskyla, Finland, discovered the vulnerabilities.
In an interview with SearchDomino.com, Pynnonen declined to reveal any detailed information about the vulnerabilities, citing concerns that once malicious programmers learn about the issues, they could be exploited without much difficulty.
Even with just a small amount of information, Pynnonen said, "someone could easily get the idea of what the problem is and start exploiting it."
He did reveal that the vulnerabilities could be exploited through the sending of harmful Java applets to Notes users via e-mail, and that he originally discovered them approximately two months ago.
"It's when you open an e-mail in Notes that may contain malicious applets," Pynnonen said. Certain applets are handled in such a way that allows a hacker to access certain files on a user's hard disk, and possibly retrieve them surreptitiously via e-mail.
Pynnonen said it's unlikely that those looking to spread viruses or worms could successfully exploit the vulnerability because its scope is limited.
"It can only read some files, and it can't really do many things; it can't execute any code," Pynnonen said. "It can only read some files. So it's not so good for viruses, I don't think, but it's also possible that there could be a virus contained in that kind of exploit."
IBM posted an acknowledgment of Pynnonen's alleged findings last Friday on its Lotus Support Services Web site, but has yet to officially confirm the vulnerabilities. However, Pynnonen said IBM has already confirmed the existence of two of the vulnerabilities to him, while a third is still under investigation.
In its acknowledgment of Pynnonen's report, IBM stated that Java applets could be disabled via the following procedure: Select File --> Preferences --> User Preferences from the Notes client menu, then uncheck Enable Java applets option.
Pynnonen said the seriousness of the vulnerabilities is on the same scale as the recent Notes URL handler flaw, which was described as moderately critical by Copenhagen, Denmark-based security consultancy Secunia.
Over the years many have considered Notes and Domino to be considerably more secure than Outlook and Exchange, the enterprise messaging software from Microsoft. Pynnonen said that more vulnerabilities have been in found in Microsoft's software because there have been more people looking for them. He said it's likely that there are a number of as-yet undiscovered security problems in Notes and Domino as well.
"This is something that's in almost every product, and I can't tell for sure how many and what kind of vulnerabilities there are, but IBM isn't an exception," Pynnonen said. "There are vulnerabilities in every product, and I think there will be some new ones discovered in Notes also."