Ed Schaller contacted IBM Lotus to report a potential Execution Control List (ECL) security issue within the IBM Lotus Notes client.
The ECL, introduced in Notes 4.5, enables users to protect their data against the threats of e-mail bombs, viruses, Trojan horses, and unwanted application intrusions. The ECL provides the mechanism for managing whether such programs or code should be allowed to execute. It has been determined that this mechanism, in specific situations, may prevent the Execution Security Alert from being presented when either a Notes database (.nsf) or Notes template (.ntf) attachments are involved.
The Execution Control List security checking functionality works as expected if a Notes database attachment is opened and buttons are executed manually. However, there is a potential issue if the same code is placed into a Navigator. Under these circumstances the Execution Security Alert (ESA) may not be issued resulting in the auto execution of the attachment.
This issue was reported to Quality Engineering as SPR# KEMG6WELNR, and is fixed in Lotus Notes releases 7.0.3 and 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Users are strongly urged to use caution when opening or viewing unsolicited file attachments. Additionally, a proven commercial virus scanning program that filters attachments should be implemented.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.