Potential security vulnerabilities in Lotus Notes file viewers for Applix Presents, Folio Flat File, HTML speed reader, KeyView and MIME

Technote (troubleshooting)


Problem

Secunia contacted IBM Lotus to report several potential buffer overflow vulnerabilities in Lotus Notes. In specific situations, there exists the possibility to execute arbitrary code.


To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and the users would then have to double-click and "View" the attachment.


These issues are relative to the following file attachment types:
- - Applix Presents (.ag)
- - Folio Flat File (.fff)
- - HTML speed reader (.htm)
- - KeyView document viewing engine
- - Text mail (MIME)

You can access the advisory at the following link:
http://secunia.com/advisories/28210

(Original publish date April 8, 2008. See "Change History" below.)


Resolving the problem

These issues were reported to Lotus Quality Engineering and the technology vendor involved has provided software updates. These vulnerabilities are currently being addressed with a patch and are targeted to be included in the next major release.


Refer to the table below for details on the issues and the associated Lotus SPR tracking number.

The issues vary depending on the file attachment type, but are all related in how the buffer overflow denial of service could be accomplished. In all cases, the issues involve viewing a malicious attached file.

File Format
Associated Keyview dll
Lotus SPR Tracking #
Additional Details
Applix Presents (.ag) kpagrdr.dll PRAD79EMMB Fixed in 7.0.4, 8.0.2, and 8.5
Folio Flat File (.fff) foliosr.dll PRAD7AM3LG Fixed in 7.0.4, 8.0.2, and 8.5
HTML Speed Reader (.htm) htmsr.dll PRAD7AP563 Lotus Notes 8.0 and higher is not vulnerable
KeyView document viewing engine, which is used for viewing html attachments kvdocve.dll PRAD7AP563 Lotus Notes 8.0 and higher is not vulnerable
Text mail (MIME) mimesr.dll - used by Lotus Notes prior to release 8.0

emlsr.dll - is used by Lotus Notes 8.0 or higher
PRAD78SMQM and PRAD78SN3A Fixed in 7.0.4, 8.0.2, and 8.5

Note: This issue impacts the Lotus Notes client only; it does not impact the Domino server.


Workarounds for Notes 6.x, 7..x, and 8.x client versions:

Option 1: Contact IBM Support to obtain the patch for the Notes client.

Option 2: Alternately, you can disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.


Workaround for Notes 5.x client versions:

If you are interested in protecting yourself from these vulnerabilities, we recommend disabling the viewers as described in the "How to Disable Viewers within Lotus Notes" section of this technote. There is no software fix available for the 5.x Notes client version.


How to disable viewers within Notes:

Option 1 : Delete the keyview.ini file in the Notes program directory. This disables ALL viewers. When a user clicks View (for any file), a dialog box will display with the message "Unable to locate the viewer configuration file."

Option 2 : Delete the problem .dll file. When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Option 3 : Comment out specific lines in keyview.ini for any references to the problem file (dll). To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

For example:

[KVARCVE]
; 35=lasr.dll


Additional Background
In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments.

The attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using one of the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.





Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.



Change History
16 April 2010 Internal update.
21 June 2009 Added link to Fix Central. Added fix info for Notes 7.0.4 and 8.0.2.
8 April 2008 Initial publication.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes
Editor

Software version:

6.0, 6.5, 7.0, 8.0, 8.0.1

Operating system(s):

Windows

Reference #:

1298453

Modified date:

2011-05-22

Translate my page

Machine Translation

Content navigation