Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0183 -- [Win]
       Potential security issue with the Execution Control List and
              Notes signatures on Java applets in Lotus Notes
                             22 February 2008


        AusCERT Security Bulletin Summary

Product:              Lotus Notes 8.0
                      Lotus Notes 7.0
                      Lotus Notes 6.5
                      Lotus Notes 6.0
Publisher:            IBM
Operating System:     Windows
Impact:               Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0862

Revision History:     February 22 2008: Added CVE Number.
                      February 21 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Java applet signatures and the Execution Control List

Technote (FAQ)

David Gloede contacted IBM Lotus to report a potential security issue 
with the Execution Control List (ECL) and Notes signatures on Java applets.

The Execution Control List (ECL) enables administrators and users to 
protect their data against the threats of e-mail bombs, viruses, Trojan 
horses, and unwanted application intrusions. The ECL provides the mechanism 
for managing whether such programs or code should be allowed to execute 
based upon a Notes signature. In this specific situation, it has been 
determined that an unsigned applet would be signed when acted upon.

In order for an attacker to successfully exploit this vulnerability, the 
following must be accomplished:

For the purposes of this example the following are defined:
- - Attacker (original sender)
- - User 1 (original recipient - Notes User)
- - User 2 (recipient of forwarded message - Notes User)

(1) Attacker must create a Java applet and send it to User1 over the 
    Internet. At this point, the Java applet does not have a Notes 
    signature. If ECLs are properly configured (that is, Default and No 
    Signature set to "No Access") an Execution Security Alert (ESA) will 
    be generated when the document is opened by User1.

(2) User1 must forward the mail using Lotus Notes to User2. The previously 
    unsigned applet will now be signed by User1 using Notes signatures.

(3) At this point, User2 must have the "Enable Java Applets" option enabled 
    within User Preferences

(4) Additionally, the ECL of User2 must allow User1 proper rights to 
    execute Java

(5) If User1 is trusted to sign Java applets, then this Java applet would 
    execute according to the rights assigned within User2's ECL.

This issue was reported to Quality Engineering as SPR# TMDS6W826S and 

Suggested Workarounds

There are two options that can be taken to prevent this potential issue.

Option #1: Disable the setting for "Enable Java Applets"
a. From the Lotus Notes client File menu, select 
   File-->Preferences-->User Preferences
b. On the Basics tab, under Additional Options
c. Deselect "Enable Java Applets"
d. The result is that no Java Applets will be allowed to execute within 
   Lotus Notes.

Note: If your organization does not develop Java applets for use within 
Notes database applications (NOT Java agents, which run under the rights 
assigned to Workstation security), then there is no need to enable Java 
applets within Notes.

Option #2: Use a trusted signature for all Java Applets
First, you must create a Notes ID file that will be used to sign Java 
applets. It is recommended that this ID file not be assigned to an 
actual user . It should be registered as an application signing ID 
(for example: "Java Applet Signature" or "xxx Application Signing )

Next, the users ECLs must be updated. This can be done using a policy or 
on an individual basis.

To manage the ECL for a all users
The ECL can be managed centrally by using the Administration ECL found in 
the Security Policy.

1. Open the Domino Directory and go to the Policy section.

2. Choose the Security Policy and navigate to the "Execution Control List" 

3. Edit the Admin ECL to make any necessary changes to the "Java Applet" 

4. Add your new trusted signature name to the "When applet is signed by:" 
   list by clicking Add, enter the name trusted signature, and then click OK.

5. Select the signature name you just added and enable the types of access 
   you want

To learn more about the Administration ECL and how to manage it, refer 
to "Deploying and updating workstation ECLs" and "the Administration ECL" 
topics discussed in the Domino Administrator Help.

To change the ECL for a single user.

1. Select File -> Security -> User Security.
(Macintosh OS X users: Select Notes -> Security -> User Security.)

2. Select "What Others Do" and then select "Using Applets".

3. The "When applet is signed by:" list should contain only signature 
   names that are fully trusted.

4. Add your new trusted signature name to the "When applet is signed by:" 
   list by clicking Add, enter the name trusted signature, and then click OK.

5. Select the signature name you just added and enable the desired access 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967