-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1043
         Fixes for potential security vulnerabilities in IBM Lotus
            Notes file viewers when viewing Ichitaro documents
                              17 October 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Lotus Notes
Publisher:         IBM
Operating System:  Linux variants
                   Mac OS
                   Mac OS X
                   Windows
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-0339 CVE-2011-0338 CVE-2011-0337

Reference:         ESB-2011.1042

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21566925

- --------------------------BEGIN INCLUDED TEXT--------------------

Fixes for potential security vulnerabilities in IBM Lotus Notes file viewers 
when viewing Ichitaro documents
Flash (Alert)

Document information
Lotus Notes

Software version:
8.0.2, 8.5, 8.5.1, 8.5.2

Operating system(s):
Linux, Mac OS, Mac OS X, Windows

Software edition:
All Editions

Reference #:
1566925

Modified date:
2011-10-07

Abstract

Secunia Research contacted IBM to report three rare potential buffer overflow 
vulnerabilities (SA44310) in IBM Lotus Notes file viewers when viewing Ichitaro 
documents. These vulnerabilities are resolved in IBM Lotus Notes 8.5.2 Fix Pack 
3 and 8.5.3.

Content

Secunia Research contacted IBM to report three rare potential buffer overflow 
vulnerabilities (SA44310) in IBM Lotus Notes file viewers when viewing 
JustSystem's Ichitaro documents. Malicious attackers may compose specially-
crafted documents using JustSystem's Ichitaro word processor that cause buffer 
overflows in IBM Lotus Notes. To exploit these vulnerabilities, the attacker 
would send a specially-crafted file attachment to an IBM Lotus Notes user. The 
attachment type will typically be .jtd but may also be .doc. The recipient would 
then double-click the attachment and select "View". The three attacks vary 
depending on the data contained in the malicious JustSystem Ichitaro document. 
However, all three result in a crash of the Notes client. Note that IBM Lotus 
Domino servers are not affected.

For more information on the exploits, see SA44310 at:
http://secunia.com/advisories/44310

Or see Common Vulnerabilities and Exposures website referencing:

    * CVE-2011-0337: An integer overflow error in jtdsr.dll when parsing QLST 
      chunks within Ichitaro documents
    * CVE-2011-0338: A boundary error in jtdsr.dll when parsing Ichitaro 
      documents with a chunk containing "Text" data blocks
    * CVE-2011-0339: A logic error in jtdsr.dll when reconstructing text data 
      from multiple data blocks in an Ichitaro document 


Affected versions

The following releases of IBM Lotus Notes clients are susceptible to this 
malicious attack:

    * 8.5.2 Fix Pack 2 and earlier
    * 8.0.x

Recommended Fix

SA44310 has been investigated by IBM and is tracked in the following SPRs: 
KLYH8GPJH4, KLY8GPJTX, and KLYH8GPJW8. To address the issues, customers are 
encouraged to apply the following IBM Lotus Notes client releases:

    * 8.5.3
    * 8.5.2 Fix Pack 3 (or later Fix Packs)


Workarounds

Options to disable all viewers within IBM Lotus Notes.

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a 
dialog box will display with the message "Unable to locate the viewer 
configuration file."

General Cautionary Note

Users are strongly urged to use caution when opening or viewing unsolicited file 
attachments.

Attachments will not auto-execute upon opening or previewing the email message; 
the file attachment must be opened by the recipient using the aforementioned 
file viewer.

CVSS Score
IBM offers the following CVSS Score for all three IBM Lotus Notes Ichitaro file 
viewer vulnerabilities (listed below by SPR number):

    * KLYH8GPJH4
    * KLY8GPJTX
    * KLYH8GPJW8

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: <4.9 >
- ---- Impact Subscore: < 6.9>
- ---- Exploitability Subscore: <3.9 >
CVSS Temporal Score: <3.8>
CVSS Environmental Score: <Undefined >
Overall CVSS Score: <3.8
Base Score Metrics:

    * Related exploit range/Attack Vector: < Network >
    * Access Complexity: < High >
    * Authentication < Single Instance >
    * Confidentiality Impact: < None >
    * Integrity Impact: < None >
    * Availability Impact: < Complete >

Temporal Score Metrics:

    * Exploitability: < Proof of Concept Code >
    * Remediation Level: < Official Fix >
    * Report Confidence: < Confirmed >

References:

    * CVSS v2 Complete Documentation
    * CVSS v2 Online Calculator 


*The CVSS Environment Score is customer environment-specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the referenced links.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF 
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY 
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Acknowledgement

This vulnerability was reported to IBM by Secunia Research. See the following 
link for more information.

http://secunia.com/advisories/44310

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTpuVTO4yVqjM2NGpAQKWZQ/9ELdrXAk3jo36VhB0QjCX+9Tu6+lNdXxH
yhnQb0aR9K9UrU4WVusLdqVgn2v615Ob3pc/bbXtyF0r4vzDApVwnz/uE8PTti+l
e0Pk1BZh7f/+l8uGAWJNKvlc1Vzlkw0CuQHUKdQXaZXnAz9HFoBdzvhMGiqekshC
PzVBq2NM9f7ORMVZDNu7LfF7F+LqlATpSYOKr7XlAaMUoNpyPNulbqC8cLBSjZJY
dJYxyyk6byZyYt4uA9VOJatlww8Lyx2wRhWTxvxd/cmGWGX6RtMY2CR4CEwFPhgd
S4WqVtNrdQIL3px4G6oNfak9QP0Be/te3AAy7g1CbHHYTIuRfZB3VMvzCyKzl5tj
DaPbTrmQnoiail9TVwt/iW98djGnhiWPr4lRTJ7G7iC/2Xk+/VNv0vGjF8lCdngi
TF8BIVCooDwwmjNeUofrWJcPGMIJHdjabkHc/vH0Lg7bXYgMJEMTcrT3wJXhoI+q
8E2grPU9Pd0RpiQ9WYC1sHpGWZ0OCXgRzxS7gAYKUDPq782Ah6vK1Ar5SS2F2qbV
5THZwBZ5yMQ0Ds/0NPdAO4YHHJvVqaeVRuwF1La+QETbw6ye1uGbEV5v17BsrMjx
iR04viX76qmKHgUQv8+jEyXetREgVyKQDaBo2OWxTbQ2USj1FUFZ7oxOGfD75Kbw
DTm2i8eL5c4=
=EA6Z
-----END PGP SIGNATURE-----