IBM was made aware of a potential vulnerability in IBM® Lotus® Symphony which utilizes Lotus Expeditor code that may allow an attacker to execute malicious code on a user's workstation under certain circumstances.
Information about this issue has been published at the following locations :
Full Disclosure Web site: http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061750.html
Bugtraq Web site : http://seclists.org/bugtraq/2008/Apr/0277.html
Resolving the problem
Remove the following key from the Microsoft Windows Registry:
This action will remove any application from being considered the default CAI URL handler.
This specific issue was reported to IBM Quality Engineering as SPR # PRAD7E2LQ4 and is currently under investigation.
Lotus Expeditor Client for Desktop versions 6.1.1 and 6.1.2 have been found to be vulnerable.
A fix for this issue is available for download From Fix Central as Lotus Expeditor 6.1.1 Client for Desktop IFix 4 and 6.1.2 Client for Desktop IFix 1.
Please see the following document for details on the fixes:
6.1.1 IFix 4
Lotus Symphony (stand-alone) is currently a beta product which will incorporate a fix when it is finally released.
This vulnerability was found to be isolated to the Windows operating system and occurs when using Internet Explorer. The issue does not exist under the Mozilla Firefox web browser.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
|Mobile- Speech and Enterprise Access||Lotus Expeditor||Client for Desktop||Linux, Windows||6.1.2, 6.1.1|
|Applications - Desktop & Enterprise||Lotus Symphony||Presentation editor||Windows||Beta 4|
|Applications - Desktop & Enterprise||Lotus Symphony||Spreadsheet editor||Windows||Beta 4|