TAN Chew Keong contacted IBM Lotus to report several potential keyview buffer overflow vulnerabilities in Lotus Notes. In specific situations it was found that there is the possibility to execute arbitrary code.
To successfully exploit these vulnerabilities, an attacker would need to send a specially crafted file attachment to users, and the users would then have to double-click and "View" the attachment.
These issues are relative to the following file attachment types: WordPerfect (.wpd), AmiPro (.sam), Microsoft Word for DOS (.doc), and FrameMaker (.mif).
The advisory can be found at the following URL: http://vuln.sg/
Resolving the problem
These issues were reported to Quality Engineering as SPR#s KEMG6X9QED, KEMG6XAS48, KEMG6XPK6A, and KEMG6XTLDN. We have received software updates from the technology vendor involved and have all been addressed in Lotus Notes release 7.0.3, as well as in either Lotus Notes release 8.0 or 8.0.1. Refer to the below table for details.
These issues vary depending on the file attachment type, but are all related in how the buffer overflow denial of service could be accomplished. In all cases, the issues involve viewing a malicious attached file.
|SPR #||Details||Fixed Versions|
|KEMG6X9QED||Issue occurs within wp6sr.dll when dealing with malicious WordPerfect file (.wpd).||Fixed in Lotus Notes 7.0.3 and 8.0.1|
|KEMG6XAS48||Issue occurs within lasr.dll when dealing with malicious Ami Pro file (.sam).||Fixed in Lotus Notes 7.0.3 & 8.0|
|KEMG6XPK6A||Issue occurs within mifsr.dll when dealing with malicious FrameMaker Maker Interchange File (.mif).||Fixed in Lotus Notes 7.0.3 & 8.0|
|KEMG6XTLDN||Issue occurs within mwsr.dll when dealing with malicious Microsoft Word for DOS (.doc) file.
Vulnerability does not affect Word 2000, XP (2002), 2003, or 2007.
|Fixed in Lotus Notes 7.0.3 & 8.0|
Note: This issue impacts the Lotus Notes client only; it does not impact the Domino server.
Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Workarounds for Notes 7.0.x client versions:
Option 1: If you cannot immediately upgrade to Lotus Notes 7.0.3, you may correct the issue by copying the DLL files from a 7.0.3 release over the versions found in earlier 7.0.x releases. You may obtain the DLLs from a Notes 7.0.3 client in any language. They are not language specific
Option 2: Alternately, you can disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.
Workaround for Notes 6.x client versions:
(Updated February 12, 2008)
Option 1: Contact IBM Support to obtain the patch for the Notes client.
Option 2: Alternately, you can disable the affected file viewer by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.
Workaround for Notes 5.x client versions:
If you are interested in protecting yourself from these vulnerabilities, we recommend disabling the viewers as described in the "How to Disable Viewers within Lotus Notes" section of this technote. There is no software fix available for the 5.x Notes client version.
How to disable viewers within Notes:
Option 1 : Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file."
Option 2 : Delete the problem file .dll file. When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.
Option 3 : Comment out specific lines in keyview.ini for any references to the problem file (dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."
In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments.
The attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using one of the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.