Controlling the execution of potentially malicious code in Notes mail messages
SecurityBugware has posted an advisory regarding the execution of embedded objects in Lotus Notes mail messages upon reading the message.
This type of attack is prevented by using the Lotus recommended default settings for the Execution Control List (ECL) feature.
To check your workstation's ECL settings prior to Notes 6
Select File, Preferences, User Preferences from the Notes client menu, then click on the Security Options button on the User Preferences dialog box and review the settings for "No Signature". Lotus recommends that all access be disabled for the "No Signature" and "Default" entries.
To check your workstation's ECL settings in Notes 6 and higher
Select File, Security, User Security from the Notes client menu, then click on What Others Do in the User Security Dialog and review the settings for "No Signature". Lotus recommends that all access be disabled for the "No Signature" and "Default" entries.
Specifically, the entry for "No Signature" should not allow "Access to External Programs" in order to prevent this particular attack.
If a Lotus Notes mail message has been received that is set to activate an object upon reading, the user will receive an Execution Security Alert dialog box containing the following information:
Action: OLE Object Activation
Signed by: -No Signature-
Not allowed: Access to external programs
Users have four options in this dialog box: "Abort", "Execute Once", "Trust Signer", "Help". The recommended action is "Abort". Choosing this option will prevent the object from executing and will open the document so that it can be read.
However, due to a regression introduced in R5.0.2, the recommended settings are not sufficient for certain releases. Lotus strongly recommends that users running versions Notes R5.0.2 - Notes R5.0.5 upgrade to Notes R5.0.6 or higher as soon as possible. If it is not possible to upgrade immediately, users should update their ECL settings to deny "Access to external programs" for ALL ECL entries, including "Lotus Notes Template Development/Lotus Notes".
The potential risk of such an attack originating from the Internet is extremely limited in Domino R5. Notes-formatted messages that are sent over the Internet and received by Domino R5 SMTP servers are not automatically decapsulated. The original message is delivered as an ENCAP2.OND attachment. To configure Domino R4.6x SMTP MTA servers to deliver ENCAP2.OND attachments rather than decapsulated messages, upgrade the SMTP MTA servers to Domino R4.6.7 and then configure the Notes.ini parameter: SMTPMTA_NO_DECAPSULATE=1.
Extreme caution should be exercised when launching any attachment; this includes opening a .OND attachment.
Lotus has been aware of the potential for malicious email messages since our early releases. In 1996, we released Notes R4.5, which included a "sandbox" and a PKI-based authorization mechanism, which we call Execution Control Lists, for native Notes programs. We did this before such mechanisms were widely used for securing Java applets in web browsers, and we are proud of the way our foresight has provided protection to millions of our users for many years without crippling their ability to integrate sophisticated workflow applications with their email -- a claim that no other vendor can make even today. We are confident in the high level of security our Notes and Domino client/server environment provides against malicious mail messages, and we continually strive to educate our customers how to manage the security features of the products properly.
We know that strong protection mechanisms and customer education occasionally aren't enough. Users will sometimes do ill-advised things that circumvent all the technical protections we give them, just like they will occasionally circumvent the desktop virus protection software. We are active participants in the PKI, security and Internet standards communities, and have even contributed PKI code to the public domain in the hopes that operating system vendors and Internet standards bodies will someday adopt technologies that provide protection that measures up to what we already provide in Notes and Domino.
When was this feature introduced?
The Execution Control List (ECL) feature was introduced in Notes R4.5.
Where is the Execution Control List (ECL) stored and configured?
The ECL is stored for each user in their desktop.dsk/desktop5.dsk file. Users can access their ECL from File\Preferences\User Preferences\Security Options. Administrators can configure domain wide settings in the Public Address Book/Domino Directory by selecting Actions\Edit Administration ECL. Workstation ECLs are inherited from the Administration ECL during workstation setup. In R5.0.5 or higher, these settings can be refreshed from the Administration ECL by clicking the "Refresh" button on the Workstation Security Options dialog. The use of the @RefreshECL command can also be used in formulas to update a user's settings.
How do ECLs protect workstations?
ECLs rely on the use of digital signatures. When a design element is created and saved, it is signed with the user's private key from their ID file.
When executable code is activated, Notes checks the signature and verifies what level of access the signer is allowed for that user's workstation. Notes relies on the use of certificates to verify these digital signatures. If a signer can be verified and is listed in the ECL, the rights assigned for that entry apply. If the signature is verified, but an entry for the signer does not exist, the rights assigned to the "Default" entry apply. If a signature cannot be verified, the access rights assigned to the entry for "No Signature" apply.
What is the "Lotus Notes Template Development/Lotus Notes" entry in the ECL?
All Lotus Notes templates shipped with the product are signed with this ID file. This entry is listed in the ECL with all access rights enabled which means that code signed with this ID is trusted to execute on the workstation.
Is it possible for someone to create an ID with the name "Lotus Notes Template Development/Lotus Notes" and evade the ECL?
No. While it is possible for an ID to be created with the same name, the public/private key pair will not match the original. When code signed with the false ID is executed, Notes will be unable to verify the signer and therefore the rights assigned to the entry for "No Signature" will apply. If "No Signature" is not permitted to execute that particular action, Notes will generate an Execution Security Alert dialog box with the warning that "The version of Notes you are running does not recognize the Template Development key that signed this document".
What are the Lotus recommended ECL settings for the "Default" and "No Signature" entries?
Both "Default" and "No Signature" should have all access rights disabled. Beginning with R5.0.2 (available in Dec 1999), this is the default configuration.