Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2007-024 Updated

DATE(S) ISSUED:
11/28/2007 - Updated

SUBJECT:
IBM Lotus Notes 1-2-3 Viewer Multiple Buffer Overflow Vulnerabilities

OVERVIEW:
A new vulnerability has been discovered in the IBM Lotus Notes email client for which public exploit code is available on the Internet. The vulnerability can be exploited if a user opens an email and views a malicious Lotus 1-2-3 (IBM Lotus Software's spreadsheet program) file attachment. A successful attack would corrupt memory and execute malicious code providing the attacker with the same privileges as the logged-on user. If the user is logged-on with administrative privileges, the attacker can take complete control of the affected system, add/modify or delete user accounts and programs.

SYSTEMS AFFECTED:

• IBM Lotus Notes 5.x
• IBM Lotus Notes 6.x
• IBM Lotus Notes 7.x
• IBM Louts Notes 8.x

RISK:
Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: N/A

DESCRIPTION:
Lotus Notes is a client-server, collaborative application used for accessing business e-mail, calendars and applications on an IBM Lotus Domino server. This vulnerability resides on the client side which is commonly used by the end user.

A new vulnerability has been discovered in IBM Lotus Notes for which public exploit code is available on the Internet. The vulnerability is in the IBM Lotus 1-2-3 viewer. The vulnerability can be exploited if a user opens a malicious Lotus 1-2-3 (.123) email attachment with the vulnerable viewer. A successful attack would corrupt memory and execute arbitrary code providing the attacker with the same privileges as the logged-on user. If the user is logged-on with administrative privileges, the attacker can take complete control of the affected system, add/modify or delete user accounts and programs.

RECOMMENDATIONS:
We recommend the following actions be taken:

• If running IBM Lotus Notes version 7.x and 8.x, apply the patch immediately after appropriate testing. The patch can be obtained by contacting IBM Support.
• If patching is not an option at this time, or you are running IBM Lotus Notes 5.x or 6.x, disable the viewer. This can be done through several different options:
• Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file."
• Delete or rename the problem DLL file, which in this case is l123sr.dll. Be aware that the DLL file name starts with lowercase "L". When a user tries to view a 123 spreadsheet file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.
• Comment out specific lines in keyview.ini for any references to the problem file (dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/26604/

IBM
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21285600

Core Security:
http://www.coresecurity.com/index.php5?action=item&id=2008

Secunia:
http://secunia.com/advisories/27835/

ISC:
http://isc.sans.org/diary.html?storyid=3696

Copyright © 2008 - Privacy Policy - Contact Us