Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0184 -- [Win] Possible Java plug-in vulnerability in Lotus Notes 21 February 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Lotus Notes 7.0 Lotus Notes 6.5.6 Publisher: IBM Operating System: Windows Impact: Increased Privileges Access: Remote/Unauthenticated Original Bulletin: http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21229932 Comment: Lotus Notes version 8.0 is not affected by this vulnerability. - --------------------------BEGIN INCLUDED TEXT-------------------- Possible Java plug-in vulnerability in Lotus Notes Technote (FAQ) Question David Gloede contacted IBM Lotus to report that the Notes client was affected by a Java plug-in vulnerability originally documented in an advisory by Jouko Pynnonen. This Java vulnerability involves the execution of JavaScript within a Java applet to gain escalated privileges. In order for an attacker to successfully exploit this vulnerability in previous releases, the following must be accomplished: (1) Lotus Notes client must have the "Enable Java access from JavaScript" option enabled within User Preferences. (2) Attacker must create a Java applet which utilizes JavaScript to execute Java code that will escalate the attackers access privileges. (3) Attacker must attach the Java applet to an email and send the mail message to a user. (4) User must open the message. Jouko Pynnonen's original advisory is available at the following link: http://jouko.iki.fi/adv/javaplugin.html The related Sun advisory is available at the following link: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101523-1 Answer The Java Virtual Machine (JVM) fix for the vulnerability reported as Sun Alert # 57591/101523 has been incorporated into Notes release 7.0.2. Notes release 8.0 is not affected by this vulnerability. For Notes releases prior to 7.0.2, it is recommended that you disable the "Enable Java access from JavaScript" preference. To manage the User Preferences for a all users Administrators can centrally manage the User Preferences by using a Desktop Policy. 1. Open the Domino Directory and go to the Policy section. 2. Choose the Desktop Policy and navigate to the "Preferences" tab 3. Select the "Miscellaneous" tab. 4. Deselect "Enable Java access from JavaScript". To learn more about the Desktop Policy and how to manage it, refer to the Domino Administrator Help. To change the User Preferences for a single user. 1. From the Lotus Notes menu, select File ->Preferences ->User Preferences. 2. Select the Basics tab, and navigate to the Additional Options section. 3. Deselect "Enable Java access from JavaScript". - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR7z06yh9+71yA2DNAQIBbQP/QanrFffLz4jPdv7/3gozOX1RYB/Yjw8c rFLcauR+h+oYIxPz2r0m93jM7a2BUTEuUCJlGIKXmnNyWJNBqAUbDoCdYePsmeFW 6zOOd/Azm9r5aT0Z1BMfQOH080asTubuJxonAH5uhGCF5WJ1+BPub9TXXA4+Xyzr zIbqk3GY1xc= =1RhX -----END PGP SIGNATURE-----