IBM issues fixes for flaws in Lotus Notes 6.5.4 and 7.0

Article

IBM issues fixes for flaws in Lotus Notes 6.5.4 and 7.0

IBM Corp. announced fixes on Saturday to remedy six "highly critical" security flaws in Lotus Notes versions 6.5.4 and 7.0. Malicious attackers could exploit the flaws to execute arbitrary code or delete arbitrary files. Upgrading to version 6.5.5 or 7.0.1 fixes the flaws, which mainly affect the Notes attachment viewer.

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Secunia Research reported the vulnerabilities to IBM.

The first flaw occurs when a user of the Notes attachment viewer attempts to extract a file with a long filename from a ZIP archive. A boundary error can cause a stack-based buffer overflow, allowing execution of arbitrary code. This flaw is confirmed in version 6.5.4 and may occur in other versions.

The second flaw is similar, involving extraction of a file with a long filename from an attached UUE file. Again, a boundary error can cause a stack-based buffer overflow, allowing execution of arbitrary code. This flaw is known to occur in versions 6.5.4 and 7.0

A third flaw involves generating previews of compressed files in attached ZIP, UUE or TAR files, using the Notes attachment viewer. Malicious users can exploit this flaw to delete arbitrary files. While this flaw is confirmed in versions 6.5.4 and 7.0, it may also occur in prior versions.

The fourth flaw is similar to the first and second, but involves TAR files. This flaw occurs in versions 6.5.4 and 7.0, and possibly in prior versions.

The fifth flaw occurs in the HTML speed reader when handling very long links. This allows execution of arbitrary code and occurs in versions 6.5.4 and 7.0, and possibly in prior versions.

The final flaw also occurs in the HTML speed reader and causes a stack-based buffer overflow for very long links. Execution of arbitrary code is possible in versions 6.5.4 and 7.0, and possibly in prior versions.

Although upgrading is recommended, IBM has also provided workarounds for these vulnerabilities. IBM notes that, "users [should] use caution when opening or viewing unsolicited file attachments."

The announcement comes less than two weeks after the successful and well-attended Lotusphere 2006. Industry leader Lotus Notes has over 120 million users and has experienced growth of over 10% in 2005. Analysts note that, in its over-15-year history, Lotus Notes has had only a handful of security issues.

Edmund X. DeJesus (dejesus@compuserve.com) is a freelance writer in Norwood, Mass.

This article originally appeared on SearchSecurity.com.