[SingCERT] Potential security issue with Lotus Notes file viewer for Microsoft Excel

Last Updated on Wednesday, 09 September 2009 22:34

[ Summary ]

A vulnerability was reported in IBM Lotus Notes. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted Microsoft Excel file attachment that, when double-clicked and viewed by the target user, will trigger a buffer overflow in keyview and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Lotus Domino servers are not affected.

[ Impact Analysis ]
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

[ Solution/Workaround ]
 
For Notes 8.5.x, 8.0x, and 7.x
Option 1: Obtain the patch by opening a service request with IBM Support.
Option 2: Disable the affected file viewer by following one of the options in the "How to disable viewers within Lotus Notes" section of the reference document.

For Notes 6.x:
Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the 6.x Notes client version.

For Notes 5.x
Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the 5.x Notes client version.

[ Reference ]
http://www-01.ibm.com/support/docview.wss?uid=swg21396492