IBM Corp. patched four vulnerabilities in its Notes and Domino e-mail software to plug holes that could be used to access information or infect systems with malicious code.
Collectively ranked as "moderately critical" by Danish bug tracker Secunia ApS, the four vulnerabilities involve Notes' IMAP service; its scripting language, LotusScript; the Domino server's command console; and how both Notes and Domino map memory in Windows when they're used in a shared environment such as Citrix.
"Lotus Domino is prone to a vulnerability that may allow attackers to access other users' sessions," said Symantec Corp. in a advisory posted Wednesday. A Symantec researcher, Ollie Whitehouse, was credited with reporting the memory mapping bug to IBM.
"If the Lotus Notes client is used in a Microsoft Terminal Services or Citrix environment, users can read each other's Lotus Notes session data, including items such as e-mail," the Symantec advisory said. "This vulnerability could also be used to write to the memory mapped files, [allowing] an attacker to potentially inject active content such as Lotus Script."
Rated slightly higher on the threat scoring system that IBM applies to bugs, however, was the IMAP vulnerability, credited to iDefense Labs, a security intelligence firm owned by VeriSign Inc.
Attackers could exploit the IMAP (Internet Message Access Protocol) bug to cause a buffer overflow, which would then allow them to execute malicious code remotely. "Under Windows, the privileges gained are, by default, that of the SYSTEM user," said iDefense in a warning posted Wednesday. "This allows an attacker to take complete control of the compromised system."
The caveat: Attackers must have valid logon credentials for the IMAP service. Those, however, could be obtained in a phishing attack; alternately, a disgruntled employee with access to IMAP could launch an attack.
IBM issued security bulletins Wednesday for each vulnerability, and provided links to updates to versions 7.0.3 and 8.0.that patch the problems. The updates can also be downloaded from the Lotus Upgrade Central Web site.
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
- Sponsored Resource:Are you ready for virtualization? Try the sever assessment tool.
- Sponsored Resource:Stay at home servers. Learn more about a home server for your family.
- Sponsored Resource:Get the communications, data, and security a business needs in one neat package. Learn more.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- Zimbra Desktop Takes Web Mail Offline
- British Businesses Ban Messaging
- E-mail Search Court Case Is Dismissed
- Google Tweaks Gmail to Stop Auto-adding Contacts
- Microsoft Embracing On-Demand Software Model
Community Comments