Potential security issue with Lotus Notes file viewer for Microsoft Excel

Technote (troubleshooting)


Problem


iDefense Labs contacted IBM Lotus to report a potential keyview buffer overflow vulnerability in Lotus Notes. In specific situations it was found that there is the possibility to execute arbitrary code.

To successfully exploit this vulnerability, an attacker would need to send a specially crafted Microsoft Excel Spreadsheet (XLS) file attachment to users, and the users would then have to double-click the attachment and select "View".


The CVE identifier is CVE-2009-3037

Link to iDefense advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=823

Link to related Symantec advisory
http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=security_advisory

Resolving the problem

(Original publish date August 25, 2009. See "Change History" below.)

This issue is being tracked under SPR# PRAD7RSL2H and is resolved in Notes 8.5.1. Refer to the Upgrade Central site for details on upgrading Notes/Domino.

A patch is also currently available (see below for details) and a fix is included in the latest CCH for Notes 7.0.4 (on Fix Central).

Note that this issue was determined to impact Windows-based Notes clients; it does not impact Lotus Domino servers.


Workarounds

For Notes 8.5.x, 8.0x, and 7.x

Option 1: Obtain the patch by opening a service request with IBM Support.

- or -

Option 2: Disable the affected file viewer by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.

For Notes 6.x:

Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the 6.x Notes client version.


For Notes 5.x

Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the 5.x Notes client version.


Options to disable viewers within Notes

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
In this case the affected DLL file is xlssr.dll. When a user tries to view a Microsoft Excel file, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out



General cautionary note

Users are strongly urged to use caution when opening or viewing unsolicited file attachments.

Attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.



Security Rating Using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Change History
21 October 2009 Added 704 CCH info
14 October 2009 Updated 8.5.1 fix info
10 September 2009 Added CVE identifier
25 August 2009 First published.

Related information

Lotus Security Bulletins Page
A simplified Chinese translation is available

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Notes
Editor

Software version:

6.5, 7.0, 8.0, 8.5

Operating system(s):

Windows

Reference #:

1396492

Modified date:

2009-10-22

Translate my page

Machine Translation

Content navigation