Skip to main content

Software  >  Lotus  >  

Potential Notes workstation Execution Control List (ECL) security vulnerability
 Technote (FAQ)
 
 
Question
Ed Schaller contacted IBM Lotus to report a potential Execution Control List (ECL) security issue within the IBM LotusĀ® NotesĀ® client.
The ECL, introduced in Notes 4.5, enables users to protect their data against the threats of e-mail bombs, viruses, Trojan horses, and unwanted application intrusions. The ECL provides the mechanism for managing whether such programs or code should be allowed to execute. It has been determined that this mechanism, in specific situations, may prevent the Execution Security Alert from being presented when either a Notes database (.nsf) or Notes template (.ntf) attachments are involved.
 
Cause
The Execution Control List security checking functionality works as expected if a Notes database attachment is opened and buttons are executed manually. However, there is a potential issue if the same code is placed into a Navigator. Under these circumstances the Execution Security Alert (ESA) may not be issued resulting in the auto execution of the attachment.
 
Answer
This issue was reported to Quality Engineering as SPR# KEMG6WELNR, and is fixed in Lotus Notes releases 7.0.3 and 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Workaround
Users are strongly urged to use caution when opening or viewing unsolicited file attachments. Additionally, a proven commercial virus scanning program that filters attachments should be implemented.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Messaging Applications
 Advanced Messaging
 Lotus Notes
 Security
 Operating system(s):
  Linux, Mac OS, Windows
 Software version:
  6.5, 7.0, 8.0
 Reference #:
  1270884
 IBM Group:
 Software Group
 Modified date:
 2007-11-07

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.