Dennis' Domino Blog
« Etisalat Statement Regarding Suspension of BlackBerry Services in UAEIBM WebSphere Application Server Administration Console Cross Site Scripting Vulnerability »

(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers

  07/27/10 20:33, by dennisvr, Categories: IBM, Lotus, security

(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers

 

Flash (Alert)
Abstract
iDefense Labs, Secunia, and TippingPoint's Zero Day Initiative (ZDI) contacted IBM Lotus to report potential buffer overflow vulnerabilities in several Lotus Notes file viewers.
Content

In specific situations, arbitrary code could potentially be executed when the following types of attachments are viewed in Notes:

  • Lotus 1-2-3 Spreadsheet
  • Microsoft Office Spreadsheet
  • Microsoft Office Word
  • Microsoft Word 2.0
  • OLE document
  • QuattroPro speed reader
  • WordPerfect 5

To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and then users would have to double-click the attachment and select "View".

The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted.

Refer to the tables in the "Additional Information" section below for more information on each issue, including the name of the vulnerable .dll files, the Lotus SPR tracking numbers, and fix availability for each code stream. You can also find related information on the Web sites of the security researchers who discovered the issues:


Recommended Fix

These issues have been investigated by IBM Lotus and the technology vendors involved. To address the issues, customers are encouraged to apply the following Fix Packs:


For customers unable to apply these Fix Packs, IBM Lotus is providing a self-extracting .zip file with script to apply a single, cross-version patch for Notes 8.5.1.x, 8.0.x, and 7.0.x. The patch is now availble for download from Fix Central (a direct download link is provided below). See the Workarounds section or more details.

Workarounds

For Notes 8.5.x, 8.0x, and 7.x

Option 1: Download and apply the patch Keyview_Security_patch0719.exe from Fix Central.

This single patch has contents that apply to Notes 8.5.1, 8.0x, and 7.0x so it can be run on a client machine with any of these releases. The script will determine the correct version and then apply the patches into the Notes Program or MUI directory.

This patch does not interfere with existing hotfixes, Interim Fixes, Cumulative Client Hotfixes, Fix Packs, or Maintenance Releases, and it does not revise the Notes version string. Customers who want to confirm the patch has been applied can examine the file date or apply a Fix Pack that contains the fixes.

Instructions for running the patch:

1) Place the downloaded patch (Keyview_Security_patch0719.exe) on the desired machine or network drive.

2) Shut down the Notes client to ensure KeyView files to be replaced are not in memory.

3) Run Keyview_Security_patch0719.exe as Administrator

While the patch is running a dialog will appear briefly as the files are being extracted and, upon completion, the following dialog will appear:



*** TIP ***: An alternative method for deploying the patch is described in the following Wiki article: "How to deploy non-versioned patches via Smart Upgrade"


Option 2: Disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.

For Notes 6.x:

The KeyView viewer technology has advanced considerably since Notes 6.5. Due to these advancements, we are recommending that customers upgrade to a later release as the long term solution to avoid exposure to vulnerabilities. As further issues are discovered, the solution for customers running Notes 6.5 (and in some cases Notes 7) will be to disable KeyView or particular modules impacted, until an upgrade can occur. As a guideline, providing KeyView security solutions on releases that have been in market longer than 5 years will not be possible.

Option 1: Upgrade to a later release.

- or -

Option 2: Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.

 

For Notes 5.x


Disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the Notes 5.x code stream.


Options to disable viewers within Notes

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon ( ; ). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out

Additional Information

Note: All potential vulnerabilities are investigated to understand the issue and the required fix. However, in some cases, due to significant architectural enhancements in the product there may be cases where a workaround will be the only option.

Lotus 1-2-3 Spreadsheet (wkssr.dll)


CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered
by

CVE-2010-0131

PRAD83F4CU

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia

CVE-2010-0133
&
CVE-2010-1525

PRAD83M2UM

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia

CVE-2010-1524

PRAD83ML59

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia


Microsoft Office Spreadsheet (wkssr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes
8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

Unknown

PRAD8225G4

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI

Unknown

PRAD8225K3

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI


Microsoft Office Word (kpmsordr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

Unknown

PRAD8225BX

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI


Microsoft Word 2.0 (mwsr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered
by

Unknown

PRAD82255P

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI


OLE document (kvolefio.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered
by

CVE-2009-3032

PRAD7WK4NV

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP4

Fixed in
8.5.1 FP1

Fix Included

iDefense


QuattroPro speed reader (qpssr.dll)

CVE#

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

CVE-2010-0126

PRAD837LDA

Workaround
Available

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia


WordPerfect 5 (wosr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

CVE-2010-0135

PRAD83M367

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia


General cautionary note


Users are strongly urged to use caution when opening or viewing unsolicited file attachments.

Attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.



Security Rating Using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
Related information
Domino and Notes 8.5 - KeyView filter formats supported
Domino and Notes 8.5.1 - KeyView filter formats support

No feedback yet

Yet another Domino/Websphere Admin blog.

About me:
Lotus Notes/Domino Admin
Websphere Commerce Admin
sceptic
critic



Search

  XML Feeds

Planet Lotus

powered by b2evolution
 

©2014 by Dennis van Remortel

Contact | Help | b2evo skins by Asevo | blogging tool | webhosting reviews