Dennis' Domino Blog

(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers

07/27/10 20:33, by Dennis van Remortel, Categories: IBM, Lotus, security

Flash (Alert)

Abstract

iDefense Labs, Secunia, and TippingPoint's Zero Day Initiative (ZDI) contacted IBM Lotus to report potential buffer overflow vulnerabilities in several Lotus Notes file viewers.

Content

In specific situations, arbitrary code could potentially be executed when the following types of attachments are viewed in Notes:

Lotus 1-2-3 Spreadsheet
Microsoft Office Spreadsheet
Microsoft Office Word
Microsoft Word 2.0
OLE document
QuattroPro speed reader
WordPerfect 5

To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and then users would have to double-click the attachment and select "View".

The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted.

Refer to the tables in the "Additional Information" section below for more information on each issue, including the name of the vulnerable .dll files, the Lotus SPR tracking numbers, and fix availability for each code stream. You can also find related information on the Web sites of the security researchers who discovered the issues:

iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/
Secunia: http://secunia.com/advisories/
TippingPoint's ZDI: http://zerodayinitiative.com/advisories

Recommended Fix

These issues have been investigated by IBM Lotus and the technology vendors involved. To address the issues, customers are encouraged to apply the following Fix Packs:

8.0.2 Fix Pack 6 (Available on Fix Central as of July 26, 2010; release notice)
8.5.1 Fix Pack 4 (Available on Fix Central by August 4, 2010; preliminary release notice)

For customers unable to apply these Fix Packs, IBM Lotus is providing a self-extracting .zip file with script to apply a single, cross-version patch for Notes 8.5.1.x, 8.0.x, and 7.0.x. The patch is now availble for download from Fix Central (a direct download link is provided below). See the Workarounds section or more details.

Workarounds

For Notes 8.5.x, 8.0x, and 7.x

Option 1: Download and apply the patch Keyview_Security_patch0719.exe from Fix Central.

This single patch has contents that apply to Notes 8.5.1, 8.0x, and 7.0x so it can be run on a client machine with any of these releases. The script will determine the correct version and then apply the patches into the Notes Program or MUI directory.

This patch does not interfere with existing hotfixes, Interim Fixes, Cumulative Client Hotfixes, Fix Packs, or Maintenance Releases, and it does not revise the Notes version string. Customers who want to confirm the patch has been applied can examine the file date or apply a Fix Pack that contains the fixes.

Instructions for running the patch:

1) Place the downloaded patch (Keyview_Security_patch0719.exe) on the desired machine or network drive.

2) Shut down the Notes client to ensure KeyView files to be replaced are not in memory.

3) Run Keyview_Security_patch0719.exe as Administrator

While the patch is running a dialog will appear briefly as the files are being extracted and, upon completion, the following dialog will appear:

*** TIP ***: An alternative method for deploying the patch is described in the following Wiki article: "How to deploy non-versioned patches via Smart Upgrade"

Option 2: Disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.

For Notes 6.x:

The KeyView viewer technology has advanced considerably since Notes 6.5. Due to these advancements, we are recommending that customers upgrade to a later release as the long term solution to avoid exposure to vulnerabilities. As further issues are discovered, the solution for customers running Notes 6.5 (and in some cases Notes 7) will be to disable KeyView or particular modules impacted, until an upgrade can occur. As a guideline, providing KeyView security solutions on releases that have been in market longer than 5 years will not be possible.

Option 1: Upgrade to a later release.

- or -

Option 2: Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.

For Notes 5.x

Disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the Notes 5.x code stream.

Options to disable viewers within Notes

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon ( ; ). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out

Additional Information

Note: All potential vulnerabilities are investigated to understand the issue and the required fix. However, in some cases, due to significant architectural enhancements in the product there may be cases where a workaround will be the only option.

Lotus 1-2-3 Spreadsheet (wkssr.dll)

CVE #	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
CVE-2010-0131	PRAD83F4CU	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	Secunia
CVE-2010-0133 & CVE-2010-1525	PRAD83M2UM	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	Secunia
CVE-2010-1524	PRAD83ML59	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	Secunia

Microsoft Office Spreadsheet (wkssr.dll)

CVE #	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
Unknown	PRAD8225G4	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	TippingPoint's ZDI
Unknown	PRAD8225K3	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	TippingPoint's ZDI

Microsoft Office Word (kpmsordr.dll)

CVE #	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
Unknown	PRAD8225BX	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	TippingPoint's ZDI

Microsoft Word 2.0 (mwsr.dll)

CVE #	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
Unknown	PRAD82255P	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	TippingPoint's ZDI

OLE document (kvolefio.dll)

CVE #	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
CVE-2009-3032	PRAD7WK4NV	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP4	Fixed in 8.5.1 FP1	Fix Included	iDefense

QuattroPro speed reader (qpssr.dll)

CVE#	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
CVE-2010-0126	PRAD837LDA	Workaround Available	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	Secunia

WordPerfect 5 (wosr.dll)

CVE #	SPR #	Notes 6.5.x	Notes 7.x	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Discovered by
CVE-2010-0135	PRAD83M367	Workaround Avail	Patch Avail	Fixed in 8.0.2 FP6	Fixed in 8.5.1 FP4	Fix Included	Secunia

General cautionary note

Users are strongly urged to use caution when opening or viewing unsolicited file attachments.

Attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.

Security Rating Using Common Vulnerability Scoring System (CVSS) v2

CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >

Base Score Metrics:

Related exploit range/Attack Vector: < Network >
Access Complexity: < Medium >
Authentication < None >
Confidentiality Impact: < Complete >
Integrity Impact: < Complete >
Availability Impact: < Complete >

Temporal Score Metrics:

Exploitability: < Proof of Concept Code>
Remediation Level: < Official Fix >
Report Confidence: < Confirmed >

References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Related information

Domino and Notes 8.5 - KeyView filter formats supported
Domino and Notes 8.5.1 - KeyView filter formats support

Leave a comment »

InterfaceFLOR: Let's be clear

07/01/10 08:49, by Dennis van Remortel, Categories: Work

Link: http://www.interfaceflor.eu/letsbeclear

A new campaign from InterfaceFLOR about sustainability. This campaign consists of several parts, all about spreading the word about sustainability and debunking claims.

It’s time to tell the truth about carpet tiles, green claims and sustainability. InterfaceFLOR have created everything you need to cut through the greenwash and help you to make the most sustainable product choices.

How to choose the most sustainable products and what to ask the manufacturers

The marketing world has woken up to sustainability and the result is a blizzard of claims for products from cars to carpets: ‘carbon neutral’, ‘recyclable’, ‘natural’, ‘cradle to cradle’, ‘fair-trade’, ‘organic’, ‘environment friendly’, etc.

But sustainability is too complex to be explained by a single product benefit or green label. This guide explains how to assess the sustainability of different products and the companies that make them.

Download Just the Facts

Leave a comment »

IBM WebSphere Application Server Administration Console Cross Site Scripting Vulnerability

06/24/10 08:42, by Dennis van Remortel, Categories: IBM, Websphere, security

Link: http://www.securityfocus.com/bid/39051/info

Bugtraq ID: 39051
Class: Input Validation Error
CVE: CVE-2010-0768
Remote: Yes
Local: No
Published: Mar 30 2010 12:00AM
Updated: Jun 23 2010 08:38PM
Credit: IBM
Vulnerable:
IBM Websphere Application Server 7.0 3
IBM Websphere Application Server 7.0.8
IBM Websphere Application Server 6.1.2
IBM Websphere Application Server 6.1.9
IBM Websphere Application Server 6.1.8
IBM Websphere Application Server 6.1.7
IBM Websphere Application Server 6.1.6
IBM Websphere Application Server 6.1.5
IBM Websphere Application Server 6.1.4
IBM Websphere Application Server 6.1.3
IBM Websphere Application Server 6.1.25
IBM Websphere Application Server 6.1.23
IBM Websphere Application Server 6.1.22
IBM Websphere Application Server 6.1.21
IBM Websphere Application Server 6.1.20
IBM Websphere Application Server 6.1.2
IBM Websphere Application Server 6.1.19
IBM Websphere Application Server 6.1.18
IBM Websphere Application Server 6.1.17
IBM Websphere Application Server 6.1.15
IBM Websphere Application Server 6.1.14
IBM Websphere Application Server 6.1.13
IBM Websphere Application Server 6.1.12
IBM Websphere Application Server 6.1.11
IBM Websphere Application Server 6.1.10
IBM Websphere Application Server 6.1.1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 6.0.2.9
IBM Websphere Application Server 6.0.2.7
IBM Websphere Application Server 6.0.2.5
IBM Websphere Application Server 6.0.2.39
IBM Websphere Application Server 6.0.2.35
IBM Websphere Application Server 6.0.2.33
IBM Websphere Application Server 6.0.2.31
IBM Websphere Application Server 6.0.2.3
IBM Websphere Application Server 6.0.2.29
IBM Websphere Application Server 6.0.2.27
IBM Websphere Application Server 6.0.2.25
IBM Websphere Application Server 6.0.2.24
IBM Websphere Application Server 6.0.2.23
IBM Websphere Application Server 6.0.2.22
IBM Websphere Application Server 6.0.2.21
IBM Websphere Application Server 6.0.2.17
IBM Websphere Application Server 6.0.2.15
IBM Websphere Application Server 6.0.2.13
IBM Websphere Application Server 6.0.2.11
IBM Websphere Application Server 6.0.2.1
IBM Websphere Application Server 6.0.2
IBM Websphere Application Server 6.0.1
IBM Websphere Application Server 6.0.7
IBM Websphere Application Server 6.0
IBM Websphere Application Server 7.0.0.7
IBM Websphere Application Server 7.0.0.5
IBM Websphere Application Server 7.0.0.1
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.1.0.29
IBM Websphere Application Server 6.1.0.27
IBM Websphere Application Server 6.0.2.19
IBM Websphere Application Server 6.0.2 Fix Pack 17

Not Vulnerable:
IBM Websphere Application Server 7.0.9
IBM Websphere Application Server 6.1.0.31
IBM Websphere Application Server 6.0.2.41

IBM WebSphere Application Server (WAS) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to WAS 7.0.0.9, 6.1.0.31, and 6.0.2.4 are vulnerable.

IBM WebSphere Application Server Administration Console Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

Solution:
The vendor has released updates. Please see the references for details.

References:
* IBM APAR PK97376 (IBM)
* IBM Websphere Homepage (IBM)
* WebSphere Application Server Administration Console Cross-Site Scripting (IBM)

Leave a comment »

IBM DB2 prior to 9.7 Fix Pack 2 Multiple Security Vulnerabilities

06/01/10 10:55, by Dennis van Remortel, Categories: security

IBM DB2 prior to 9.7 Fix Pack 2 Multiple Security Vulnerabilities

Bugtraq ID:	40446
Class:		Unknown
CVE:		CVE-2010-0472
Remote:		Yes
Local:		Yes
Published:	May 28 2010 12:00AM
Updated:	May 31 2010 03:50PM
Credit:		The vendor disclosed these issues.
Vulnerable:	IBM DB2 Universal Database 9.7.1
		IBM DB2 Universal Database 9.7
Not Vulnerable:	IBM DB2 Universal Database 9.7.2 

IBM DB2 is prone to multiple vulnerabilities.

These issues may allow attackers to carry out denial-of-service attacks, obtain sensitive information, and exploit an unspecified vulnerability with an unknown impact.

These issues affect IBM DB2 9.2 prior to Fix Pack 2 (9.7.2). 

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Some of these issues may not require exploit code. 

Solution:
The vendor has released fixes. Please see the references for details.

References:
* IBM DB2 Homepage (IBM)
* 1432298 Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, a (IBM)

Leave a comment »

xpages: Theme's and css media types

05/31/10 10:52, by Dennis van Remortel, Categories: Lotus, xpages

This weekend I was trying to embed blueprint in a xpages app.
All went fine, but I ran into 1 problem: How do you get your theme to use the following syntax?

  <link rel="stylesheet" href="../../blueprint/screen.css" type="text/css" media="screen, projection"> <link rel="stylesheet" href="../../blueprint/print.css" type="text/css" media="print">  <link rel="stylesheet" href="../../blueprint/plugins/fancy-type/screen.css" type="text/css" media="screen, projection">
The media= part I can't fix with the theme? I tried the following:

<resource> <content-type>text/css</content-type> <href>screen.css</href> <media>screen, projection</media> </resource>
But the generated code doesn't take the media stuff into account at all.

<link rel="stylesheet" type="text/css" href="/dev/blueprint.nsf/screen.css"> <link rel="stylesheet" type="text/css" href="/dev/blueprint.nsf/fancyscreen.css">

Any suggestions on this?

6 comments »

InterfaceFLOR news: 'War on waste' and EPD

05/21/10 08:50, by Dennis van Remortel, Categories: Personal, Work

At InterfaceFLOR we've recently been granted EPD's (Environmental Product Declaration) for our Flatworks range of Microtuft modular carpet tiles – which includes Scandinavian Collection, Straightforward and Elevation II, and contain 30-50% less oil-based yarn than other products – is the first product category to receive EPD validation.

EPDs follow a rigorous process in accordance with agreed industry standards. In addition to sharing what is typically confidential product information, we carried out a thorough life cycle assessment (LCA) for our products, in line with ISO 14040 standards. This covers everything from raw material extraction through to disposal or recycling at the end of the product's useful life.

EPD Product Life Cycle

Read more about it here.

And, we are waging a war on waste! Click the image below for more info.

Why not use one of these social media tools to tell more people about War on Waste?

Leave a comment »

IBM WebSphere Application Server Long Filename Information Disclosure Vulnerability

05/21/10 08:39, by Dennis van Remortel, Categories: IBM, security

Bugtraq ID:  	        40277
Class: 			Unknown
CVE: 			CVE-2010-0777
Remote: 		Yes
Local: 			No
Published: 		May 09 2010 12:00AM
Updated: 		May 20 2010 05:02PM
Credit: 		Reported by the vendor
Vulnerable: 		IBM Websphere Application Server 7.0 3
			IBM Websphere Application Server 7.0 .9
			IBM Websphere Application Server 7.0 .8
			IBM Websphere Application Server 6.1.2
			IBM Websphere Application Server 6.1 .9
			IBM Websphere Application Server 6.1 .8
			IBM Websphere Application Server 6.1 .7
			IBM Websphere Application Server 6.1 .6
			IBM Websphere Application Server 6.1 .5
			IBM Websphere Application Server 6.1 .4
			IBM Websphere Application Server 6.1 .3
			IBM Websphere Application Server 6.1 .25
			IBM Websphere Application Server 6.1 .23
			IBM Websphere Application Server 6.1 .22
			IBM Websphere Application Server 6.1 .21
			IBM Websphere Application Server 6.1 .20
			IBM Websphere Application Server 6.1 .2
			IBM Websphere Application Server 6.1 .19
			IBM Websphere Application Server 6.1 .18
			IBM Websphere Application Server 6.1 .17
			IBM Websphere Application Server 6.1 .15
			IBM Websphere Application Server 6.1 .14
			IBM Websphere Application Server 6.1 .13
			IBM Websphere Application Server 6.1 .12
			IBM Websphere Application Server 6.1 .11
			IBM Websphere Application Server 6.1 .10
			IBM Websphere Application Server 6.1 .1
			IBM Websphere Application Server 6.1
			IBM Websphere Application Server 6.0.2 .9
			IBM Websphere Application Server 6.0.2 .7
			IBM Websphere Application Server 6.0.2 .5
			IBM Websphere Application Server 6.0.2 .39
			IBM Websphere Application Server 6.0.2 .35
			IBM Websphere Application Server 6.0.2 .33
			IBM Websphere Application Server 6.0.2 .31
			IBM Websphere Application Server 6.0.2 .3
			IBM Websphere Application Server 6.0.2 .29
			IBM Websphere Application Server 6.0.2 .27
			IBM Websphere Application Server 6.0.2 .25
			IBM Websphere Application Server 6.0.2 .24
			IBM Websphere Application Server 6.0.2 .23
			IBM Websphere Application Server 6.0.2 .22
			IBM Websphere Application Server 6.0.2 .21
			IBM Websphere Application Server 6.0.2 .17
			IBM Websphere Application Server 6.0.2 .15
			IBM Websphere Application Server 6.0.2 .13
			IBM Websphere Application Server 6.0.2 .11
			IBM Websphere Application Server 6.0.2 .1
			IBM Websphere Application Server 6.0.2
			IBM Websphere Application Server 7.0.0.7
			IBM Websphere Application Server 7.0.0.5
			IBM Websphere Application Server 7.0.0.1
			IBM Websphere Application Server 7.0
			IBM Websphere Application Server 6.1.0.29
			IBM Websphere Application Server 6.1.0.27
			IBM Websphere Application Server 6.0.2.41
			IBM Websphere Application Server 6.0.2.19
			IBM Websphere Application Server 6.0.2 Fix Pack 17
			
			Not Vulnerable: 	
			IBM Websphere Application Server 7.0 .11
			IBM Websphere Application Server 6.1.0.31
			IBM Websphere Application Server 6.0.2.43
	
IBM WebSphere Application Server (WAS) is prone to an information-disclosure vulnerability.
Exploiting this issue may allow an attacker to access sensitive information that may aid in further attacks.
This issue affects WAS 6.0, 6.1, and 7.0. 
An attacker can exploit this issue through a browser. 


Solution:
IBM has released fixes. Please see the vendor reference for details.

References:

    * Fix list for IBM WebSphere Application Server V6.1 (IBM)
    * IBM Websphere Homepage (IBM)
    * WebSphere Application Server Web Container information disclosure (IBM)

Leave a comment »

Live demo: Online Workspace application

05/05/10 21:08, by Dennis van Remortel, Categories: Administration, IBM, Lotus, Development, Web, xpages

So, the application I teased about earlier is finally ready for a live demo. Because it uses a profile document to store which applications you add, it's behind a login.

Username: Test User
password: test

Url: Workspace Beta

The app uses Xpages, SSJS, Jquery, AJAX posts and a good old notesagent. You can add applications and drag/drop them where you want.

There still is a big list of issues, but, the basis is there.
I've provided some dummy apps you can add. The user has no rights what so ever on the system, but for a proof of concept that's enough.
Please provide feedback on what you think about this application.

Upd. (07-05-2010):
Even though there is no feedback so far, I've made the app even better, it can now hold any website as an icon too. (demo has google as an example).

Leave a comment »

Sneak preview: Xpages and jQuery app.

04/15/10 13:26, by Dennis van Remortel, Categories: Lotus, Personal, Web, xpages

Upd.: It's live, see here for more info.

I've been working on this for a while (heck, I'm an admin

), so this is very much a W.I.P.
Whishlist: 30 A4's
Buglist: 35 A4's

What does it do? It lists "tiles" that are listed in a view with a view control, stores the location of the tiles in a cookie (yep, that will become ajax post someday). Moving works, closing works.

It's a learning curve for me with new techniques such as Xpages and Jquery, and a "how did this work" experience in combining css with Xpages etc.

(No live demo available yet)

2 comments »

Xpages and Security: Can an expert please help? OWASP and Xpages

03/04/10 10:16, by Dennis van Remortel, Categories: IBM, Lotus, Development, security

As we've all been making the move to more and more Xpages applications, I'd like to raise the point of security.

We are as Domino people not know to be attacked a lot, but still I'd like to know the following (as an admin that does some design work):
Would it be possible, now xpages uses Serverside Java, to implement the OWASP Esapi?
So for field validation etc to prevent XSS and XSRF and other threats from the OWASP top 10? Or would this be a non-issue for Domino as a webplatform?

Enterprise Security API (ESAPI)

OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Our motto is NO GUTS NO GLORY!

How ESAPI Works