Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0641 -- [Win] IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll) 7 September 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lotus Notes 6.5x clients Publisher: IBM Operating System: Windows Impact: Execute Arbitrary Code/Commands Denial of Service Access: Remote/Unauthenticated Original Bulletin: http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932 Comment: This ESB describes a vulnerability in a third party library (DUNZIP32.dll) which may be present in products other than Lotus Notes. More information can be found from the US-CERT vulnerability note VU#582498: http://www.kb.cert.org/vuls/id/582498 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Lotus Notes File Viewer Overflow Vulnerability (dunzip32.dll) Technote (FAQ) Problem CERT and Juha-Matti Laurio each independently contacted IBM Lotus to report a buffer overflow vulnerability in the InnerMedia DynaZip library used in Lotus Notes 6.5x clients that run on Microsoft Windows operating systems. To successfully exploit these issues, an attacker would need to send a specially crafted file attachment to users via email, and the users would have to double-click and "View" the attachment. This issue applies to zip file attachments only. If successfully exploited, this vulnerability will cause the Notes client to crash and may allow execution of arbitrary code. This issue has been documented by the following advisories: CERT VU# 582498: http://www.kb.cert.org/vuls/id/582498 Networksecurity.fi Security Advisory: http://www.networksecurity.fi/advisories/lotus-notes.html Solution This issue was reported to IBM Lotus Quality Engineering as SPR# KSPR67MNMU and addressed in Notes 6.5.5 and Notes 7.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino to these releases. Workaround if 6.5.5 DLL is available: The buffer overflow vulnerability affects the dunzip32.dll file. This dll file has been updated in the fixed releases. If you cannot immediately upgrade the Notes client in your environment, then it is possible to correct the issue by copying the revised version of the dunzip32.dll file from a 6.5.5 release over the version found in earlier 6.x releases. Workaround if 6.5.5 is not available: To work around this issue in previous releases of Notes, the affected file viewer can be disabled by either commenting out the relative dll's in the keyview.ini file found in the program directory or by deleting the files from the program directory. There are three options for disabling this viewer: 1. Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will be displayed with the message "Unable to locate the viewer configuration file." 2. Delete the problem file (dunzip32.dll). When a user tries to view the specific file types (zip archives), a dialog box will be displayed with the message "The viewer display window could not be initialized." All other file types work without returning the error message. 3. Set the ViewerConfigFile to an invalid file name using a policy. This can be done by adding a field to your Desktop Settings policy with the name $PrefViewerConfigFile and set it to an invalid file. Note that if an administrator chooses to set the ViewerConfigFile to an invalid file name, they will get the same result as Option1 above. When a user clicks View (for any file), a dialog box will be displayed with the message "Unable to locate the viewer configuration file." This disables ALL viewers. General instructions on how to distribute notes.ini parameters via policies have been published in the Domino 7 Administrator's Help Guide under the topic "Using policies to assign NOTES.INI or Location document settings to Notes client users." To use a policy to assign a NOTES.INI value to Notes client users, use the Domino Designer to add a new field to the Desktop Policy Settings document. The new field must be named $PrefVariableName, where VariableName is the name of the NOTES.INI variable you want to set. In the new field on the Desktop Policy Settings document, enter the value you want assigned to that NOTES.INI variable. That is the value that is set in the NOTES.INI for the assigned Notes users. To push a notes.ini parameter down via a Desktop policy, perform the following steps: a. From the Domino Designer, open the desktop policy settings document form. b. Create a new field named $PrefViewerConfigFile. c. Assign the default value to the field $PrefViewerConfigFile to an invalid file name. d. Save and exit. e. Create a Desktop Settings document as you normally would. f. Create a Policy document for your users and select the Desktop settings document created in Step 5. Save and close the Policy document. g. If you created an explicit policy, assign it to your users. h. When the Notes clients authenticate with the server, the notes.ini parameter should be pushed down. (Be aware that the Notes client dynamic configuration (DCC) must run and it may take until the next day for this setting to take effect). Additional background: In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments. The attachment(s) will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the affected file viewer (from the menu bar, select "Attachment", then select "View"). Note: This affects the Notes client on Microsoft Windows operating systems only. The Domino server is not affected by this issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRP+lHSh9+71yA2DNAQKpwQP/drbiptIjD2Y1g073Sh1gDDoY1TG8duMC 5IgOq9rn5f2rkszLVBnwSKlC/0GcfWdfUbYrfc6XNm5+WbRiM+iaSKCp2npkNkcC bzk6Dn4dsIGtWi+fMPitWP1Qirnm69UKIyhIcvIGEv3cOibkRteIhnhF5lU0rRrP Hl6QVDFZ/FE= =hb8e -----END PGP SIGNATURE-----