Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1043
Fixes for potential security vulnerabilities in IBM Lotus
Notes file viewers when viewing Ichitaro documents
17 October 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Lotus Notes
Publisher: IBM
Operating System: Linux variants
Mac OS
Mac OS X
Windows
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0339 CVE-2011-0338 CVE-2011-0337
Reference: ESB-2011.1042
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21566925
- --------------------------BEGIN INCLUDED TEXT--------------------
Fixes for potential security vulnerabilities in IBM Lotus Notes file viewers
when viewing Ichitaro documents
Flash (Alert)
Document information
Lotus Notes
Software version:
8.0.2, 8.5, 8.5.1, 8.5.2
Operating system(s):
Linux, Mac OS, Mac OS X, Windows
Software edition:
All Editions
Reference #:
1566925
Modified date:
2011-10-07
Abstract
Secunia Research contacted IBM to report three rare potential buffer overflow
vulnerabilities (SA44310) in IBM Lotus Notes file viewers when viewing Ichitaro
documents. These vulnerabilities are resolved in IBM Lotus Notes 8.5.2 Fix Pack
3 and 8.5.3.
Content
Secunia Research contacted IBM to report three rare potential buffer overflow
vulnerabilities (SA44310) in IBM Lotus Notes file viewers when viewing
JustSystem's Ichitaro documents. Malicious attackers may compose specially-
crafted documents using JustSystem's Ichitaro word processor that cause buffer
overflows in IBM Lotus Notes. To exploit these vulnerabilities, the attacker
would send a specially-crafted file attachment to an IBM Lotus Notes user. The
attachment type will typically be .jtd but may also be .doc. The recipient would
then double-click the attachment and select "View". The three attacks vary
depending on the data contained in the malicious JustSystem Ichitaro document.
However, all three result in a crash of the Notes client. Note that IBM Lotus
Domino servers are not affected.
For more information on the exploits, see SA44310 at:
http://secunia.com/advisories/44310
Or see Common Vulnerabilities and Exposures website referencing:
* CVE-2011-0337: An integer overflow error in jtdsr.dll when parsing QLST
chunks within Ichitaro documents
* CVE-2011-0338: A boundary error in jtdsr.dll when parsing Ichitaro
documents with a chunk containing "Text" data blocks
* CVE-2011-0339: A logic error in jtdsr.dll when reconstructing text data
from multiple data blocks in an Ichitaro document
Affected versions
The following releases of IBM Lotus Notes clients are susceptible to this
malicious attack:
* 8.5.2 Fix Pack 2 and earlier
* 8.0.x
Recommended Fix
SA44310 has been investigated by IBM and is tracked in the following SPRs:
KLYH8GPJH4, KLY8GPJTX, and KLYH8GPJW8. To address the issues, customers are
encouraged to apply the following IBM Lotus Notes client releases:
* 8.5.3
* 8.5.2 Fix Pack 3 (or later Fix Packs)
Workarounds
Options to disable all viewers within IBM Lotus Notes.
Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a
dialog box will display with the message "Unable to locate the viewer
configuration file."
General Cautionary Note
Users are strongly urged to use caution when opening or viewing unsolicited file
attachments.
Attachments will not auto-execute upon opening or previewing the email message;
the file attachment must be opened by the recipient using the aforementioned
file viewer.
CVSS Score
IBM offers the following CVSS Score for all three IBM Lotus Notes Ichitaro file
viewer vulnerabilities (listed below by SPR number):
* KLYH8GPJH4
* KLY8GPJTX
* KLYH8GPJW8
Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: <4.9 >
- ---- Impact Subscore: < 6.9>
- ---- Exploitability Subscore: <3.9 >
CVSS Temporal Score: <3.8>
CVSS Environmental Score: <Undefined >
Overall CVSS Score: <3.8
Base Score Metrics:
* Related exploit range/Attack Vector: < Network >
* Access Complexity: < High >
* Authentication < Single Instance >
* Confidentiality Impact: < None >
* Integrity Impact: < None >
* Availability Impact: < Complete >
Temporal Score Metrics:
* Exploitability: < Proof of Concept Code >
* Remediation Level: < Official Fix >
* Report Confidence: < Confirmed >
References:
* CVSS v2 Complete Documentation
* CVSS v2 Online Calculator
*The CVSS Environment Score is customer environment-specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the referenced links.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Acknowledgement
This vulnerability was reported to IBM by Secunia Research. See the following
link for more information.
http://secunia.com/advisories/44310
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTpuVTO4yVqjM2NGpAQKWZQ/9ELdrXAk3jo36VhB0QjCX+9Tu6+lNdXxH
yhnQb0aR9K9UrU4WVusLdqVgn2v615Ob3pc/bbXtyF0r4vzDApVwnz/uE8PTti+l
e0Pk1BZh7f/+l8uGAWJNKvlc1Vzlkw0CuQHUKdQXaZXnAz9HFoBdzvhMGiqekshC
PzVBq2NM9f7ORMVZDNu7LfF7F+LqlATpSYOKr7XlAaMUoNpyPNulbqC8cLBSjZJY
dJYxyyk6byZyYt4uA9VOJatlww8Lyx2wRhWTxvxd/cmGWGX6RtMY2CR4CEwFPhgd
S4WqVtNrdQIL3px4G6oNfak9QP0Be/te3AAy7g1CbHHYTIuRfZB3VMvzCyKzl5tj
DaPbTrmQnoiail9TVwt/iW98djGnhiWPr4lRTJ7G7iC/2Xk+/VNv0vGjF8lCdngi
TF8BIVCooDwwmjNeUofrWJcPGMIJHdjabkHc/vH0Lg7bXYgMJEMTcrT3wJXhoI+q
8E2grPU9Pd0RpiQ9WYC1sHpGWZ0OCXgRzxS7gAYKUDPq782Ah6vK1Ar5SS2F2qbV
5THZwBZ5yMQ0Ds/0NPdAO4YHHJvVqaeVRuwF1La+QETbw6ye1uGbEV5v17BsrMjx
iR04viX76qmKHgUQv8+jEyXetREgVyKQDaBo2OWxTbQ2USj1FUFZ7oxOGfD75Kbw
DTm2i8eL5c4=
=EA6Z
-----END PGP SIGNATURE-----