Skip to main content

Software  >  Lotus  >  

URL handler vulnerability affects Lotus Symphony and Lotus Expeditor
 Technote (troubleshooting)
 
Problem
IBM was made aware of a potential vulnerability in IBM® Lotus® Symphony which utilizes Lotus Expeditor code that may allow an attacker to execute malicious code on a user's workstation under certain circumstances.
 
Symptom
Information about this issue has been published at the following locations :
Full Disclosure Web site: http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061750.html

Bugtraq Web site : http://seclists.org/bugtraq/2008/Apr/0277.html
 
Resolving the problem
Remove the following key from the Microsoft Windows Registry:
HKEY_CLASSES_ROOT\cai\shell\open\command

This action will remove any application from being considered the default CAI URL handler.


This specific issue was reported to IBM Quality Engineering as SPR # PRAD7E2LQ4 and is currently under investigation.

Products impacted

Lotus Expeditor Client for Desktop versions 6.1.1 and 6.1.2 have been found to be vulnerable. Contact IBM Support to request the patch.

Lotus Symphony (stand-alone) is currently a beta product which will incorporate a fix when it is finally released.

Additional Information:

This vulnerability was found to be isolated to the Windows operating system and occurs when using Internet Explorer. The issue does not exist under the Mozilla Firefox web browser.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Mobile- Speech and Enterprise AccessLotus Expeditor
Mobile- Speech and Enterprise AccessLotus ExpeditorClient for DesktopLinux, Windows6.1.2, 6.1.1
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Applications - Desktop & Enterprise
 Productivity & Office Suites
 Lotus Symphony
 Operating system(s):
  Windows
 Software version:
  Beta 4
 Reference #:
  1303813
 IBM Group:
 Software Group
 Modified date:
 2008-05-02

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.