Response to 'IBM Lotus Notes 8.5 RSS Widget Privilege Escalation'

IBM Lotus Notes 8.x (Standard Configuration) clients include a built-in RSS feed reader which allows you to receive regular RSS updates from Web sites. In certain circumstances end users may find themselves vulnerable to a cross-site scripting exploit.

To successfully exploit this vulnerability, the following circumstances must be true:

(1) Attacker must develop a malicious RSS-enabled Web site

(2) User must be running Lotus Notes 8.x Standard Configuration. [Note: The RSS feature is not available in the Notes 8 Basic Configuration.]

(3) User must be persuaded to register to the malicious RSS-enabled Web site.

The user could experience the vulnerability when they preview the new content which displays in a pop-up window.

Link to related advisories
http://www.securityfocus.com/archive/1/archive/1/506296/100/0/threaded
This issue is being tracked under SPR# RGAU7RDJ9K . A fix will be included in Notes 8.5.1 and Notes 8.0.2 Fix Pack 3. Refer to the Notes/Domino Update Status page for approximate release dates.

Mitigation Options

For Notes 8.5.x

Upgrade to Notes 8.5.1 once the version is available. In the meantime, perform one of the recommended options listed below.

Option 1: Disable the pop-up preview window Notes client preference

From the Notes menu select Files > Preferences > Feeds. In the "Feed Reader Preview" section, uncheck "Show feed preview pop-up window".

Or, to set this client preference via a Desktop Policy, configure "Managed Settings" options under "Custom Settings" as follows...

Plug-in Name: com.ibm.rcp.feedreader.providers
Item: ui.prefpage.display.previewwindow
Value: false

- or -

Option 2: Increase your browser security setting for "Local Intranet" zone to High



For Notes 8.0.x

Upgrade to Notes 8.0.2 Fix Pack 3 once the version is available. In the meantime, you should increase the browser security setting for "Local Intranet" zone to High.

General cautionary note

Users are strongly urged to use caution when subscribing to RSS-enabled Web sites.

---

Security Rating Using Common Vulnerability Scoring System (CVSS) v2

CVSS Base Score: < 4.3 > ---- Impact Subscore: < 2.9 > ---- Exploitability Subscore: < 8.6 > CVSS Temporal Score: < 3.4 > CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 3.4 >

Base Score Metrics: Related exploit range/Attack Vector: < Network > Access Complexity: < Medium > Authentication < None > Confidentiality Impact: < None > Integrity Impact: < Partial > Availability Impact: < None >

Temporal Score Metrics: Exploitability: < Proof of Concept Code> Remediation Level: < Official Fix > Report Confidence: < Confirmed >

References: CVSS v2 Complete Documentation CVSS v2 Online Calculator

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.