Users Vulnerable to Attack When Viewing Corrupt Lotus 1-2-3 File Attachments
BOSTON, MA - November 27, 2007 - Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing, today issued an advisory disclosing several vulnerabilities that could severely impact the thousands of organizations using IBM Lotus Notes. The buffer overflow vulnerabilities affect the groupware application and the ability to elicit users to open corrupt email attachments.
The email functionality of Lotus Notes supports previewing and processing file attachments in various formats. A researcher from CoreLabs, the research arm of Core Security, discovered that by exploiting vulnerabilities in the Lotus WorkSheet file processor, an attacker could leverage a specially crafted Lotus 1-2-3 email attachment to remotely execute arbitrary commands and compromise vulnerable systems when users “view” the attachment.
“This is a severe threat to organizations that use Lotus Notes for corporate email communications,” said Ivan Arce, CTO at Core Security Technologies. “The discovery of this vulnerability in the Lotus Notes client underlines, once again, that securing endpoint systems and the applications that run on them is critical and that no vendor is immune to the perils of client application security. Vulnerable organizations should be prepared to quickly deploy the appropriate fixes and workarounds and users of the Lotus Notes client should use caution when presented with unknown file attachments, especially those from unfamiliar senders.”
CoreLabs discovered several buffer overflow vulnerabilities in the third-party library from software vendor Autonomy. To preview and process files in the Lotus Worksheet File format (WKS) used by Lotus 1-2-3, the Lotus Notes email client uses Autonomy’s Verity KeyView SDK. As tested, the vulnerabilities affect Lotus Notes Version 7, but Core Security cautions that the problem may also affect other applications using Verity KeyView SDK.
Although the exploitation of these vulnerabilities requires user intervention and the vulnerability is present on a third-party component, the problem is compounded by the way Lotus Notes displays information about attachments, which makes it easier to elicit assistance from unsuspecting users. Some particular characteristics of the Lotus Notes client could allow an attacker to send a malicious Lotus 1-2-3 file as an attachment with a seemingly innocuous file name and extension (for example, .JPG or .GIF) that could more easily lure users into viewing the file.
IBM has acknowledged this security problem and made a fix available for the l123sr.dll. IBM recommends that customers follow the instructions in their technote, which outlines the options customers have based on their current version of Lotus Notes. The technote can be found at: http://www.ibm.com/support/docview.wss?rs=475&uid=swg21285600
To protect against potential attacks, Core Security recommends that users immediately implement one of the following measures:
- Workaround 1: Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message “Unable to locate the viewer configuration file.”
- Workaround 2: Delete the problem file ( l123sr.dll) . When a user tries to view the specific file type, a dialog box will display with the message “The viewer display window could not be initialized.” All other file types work without returning the error message.
Additional workarounds can be found in the detailed advisory. Please contact us to learn more.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their IT infrastructure. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates servers, desktop systems, end users and web applications by identifying what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Tim Whitman or Megan Prock