Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0183 Multiple Lotus Notes file viewer vulnerabilities 28 July 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lotus Notes Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-0131 CVE-2010-0133 CVE-2010-1525 CVE-2010-1524 CVE-2009-3032 CVE-2010-0126 CVE-2010-0135 Member content until: Friday, August 27 2010 Reference: ESB-2010.0227 OVERVIEW A security vulnerability has been identifed in IBM Lotus Notes file viewers versions 5.0, 6.5.6, 7.0, 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1 [1] IMPACT The vendor has provided the following information regarding this vulnerability: "To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and then users would have to double-click the attachment and select "View". The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted." [1] MITIGATION IBM has released the following fix packs to correct the problem: * 8.0.2 Fix Pack 6 (Available on Fix Central as of July 26, 2010; release notice) * 8.5.1 Fix Pack 4 (Available on Fix Central by August 4, 2010; preliminary release notice) There are also various workarounds listed on their website. Versions 5, 6, and 7 only have workarounds available. [1] REFERENCES [1] (July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers http://www-01.ibm.com/support/docview.wss?uid=swg21440812&myns=swglotus&mynp=OCSSKTWP&mync=E AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMT8v8/iFOrG6YcBERAgEYAJ0WOIt7noWj42EiS1l82IpfzK1loACfZolS LVBJdP9++7mTyQrzv99AiJw= =4+3q -----END PGP SIGNATURE-----