-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0184 -- [Win]
            Possible Java plug-in vulnerability in Lotus Notes
                             21 February 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Lotus Notes 7.0
                      Lotus Notes 6.5.6
Publisher:            IBM
Operating System:     Windows
Impact:               Increased Privileges
Access:               Remote/Unauthenticated

Original Bulletin:    
  http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932

Comment: Lotus Notes version 8.0 is not affected by this vulnerability.

- --------------------------BEGIN INCLUDED TEXT--------------------

Possible Java plug-in vulnerability in Lotus Notes

Technote (FAQ)
 
Question

David Gloede contacted IBM Lotus to report that the Notes client
was affected by a Java plug-in vulnerability originally documented
in an advisory by Jouko Pynnonen. This Java vulnerability involves
the execution of JavaScript within a Java applet to gain escalated
privileges.

In order for an attacker to successfully exploit this vulnerability
in previous releases, the following must be accomplished:

(1) Lotus Notes client must have the "Enable Java access from
    JavaScript" option enabled within User Preferences.

(2) Attacker must create a Java applet which utilizes JavaScript
    to execute Java code that will escalate the attackers access
    privileges.

(3) Attacker must attach the Java applet to an email and send the
    mail message to a user.

(4) User must open the message.


Jouko Pynnonen's original advisory is available at the following link:
http://jouko.iki.fi/adv/javaplugin.html

The related Sun advisory is available at the following link:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101523-1
 
Answer

The Java Virtual Machine (JVM) fix for the vulnerability reported
as Sun Alert # 57591/101523 has been incorporated into Notes release
7.0.2. Notes release 8.0 is not affected by this vulnerability.

For Notes releases prior to 7.0.2, it is recommended that you disable
the "Enable Java access from JavaScript" preference.

To manage the User Preferences for a all users

Administrators can centrally manage the User Preferences by using
a Desktop Policy.

1. Open the Domino Directory and go to the Policy section.

2. Choose the Desktop Policy and navigate to the "Preferences" tab

3. Select the "Miscellaneous" tab.

4. Deselect "Enable Java access from JavaScript".

To learn more about the Desktop Policy and how to manage it, refer
to the Domino Administrator Help.


To change the User Preferences for a single user.

1. From the Lotus Notes menu, select File ->Preferences ->User Preferences.

2. Select the Basics tab, and navigate to the Additional Options section.

3. Deselect "Enable Java access from JavaScript".

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR7z06yh9+71yA2DNAQIBbQP/QanrFffLz4jPdv7/3gozOX1RYB/Yjw8c
rFLcauR+h+oYIxPz2r0m93jM7a2BUTEuUCJlGIKXmnNyWJNBqAUbDoCdYePsmeFW
6zOOd/Azm9r5aT0Z1BMfQOH080asTubuJxonAH5uhGCF5WJ1+BPub9TXXA4+Xyzr
zIbqk3GY1xc=
=1RhX
-----END PGP SIGNATURE-----