Response to 'IBM Lotus Notes 8.5 RSS Widget Privilege Escalation'
IBM Lotus Notes 8.x (Standard Configuration) clients include a built-in RSS feed reader which allows you to receive regular RSS updates from Web sites. In certain circumstances end users may find themselves vulnerable to a cross-site scripting exploit.
To successfully exploit this vulnerability, the following circumstances must be true:
(1) Attacker must develop a malicious RSS-enabled Web site
(2) User must be running Lotus Notes 8.x Standard Configuration. [Note: The RSS feature is not available in the Notes 8 Basic Configuration.]
(3) User must be persuaded to register to the malicious RSS-enabled Web site.
The user could experience the vulnerability when they preview the new content which displays in a pop-up window.
Resolving the problem
Link to related advisories
This issue is being tracked under SPR# RGAU7RDJ9K . A fix will be included in Notes 8.5.1 and Notes 8.0.2 Fix Pack 3. Refer to the Notes/Domino Update Status page for approximate release dates.
For Notes 8.5.x
Upgrade to Notes 8.5.1 once the version is available. In the meantime, perform one of the recommended options listed below.
Option 1: Disable the pop-up preview window Notes client preference
From the Notes menu select Files > Preferences > Feeds. In the "Feed Reader Preview" section, uncheck "Show feed preview pop-up window".
Or, to set this client preference via a Desktop Policy, configure "Managed Settings" options under "Custom Settings" as follows...
Plug-in Name: com.ibm.rcp.feedreader.providers
- or -
Option 2: Increase your browser security setting for "Local Intranet" zone to High
For Notes 8.0.x
Upgrade to Notes 8.0.2 Fix Pack 3 once the version is available. In the meantime, you should increase the browser security setting for "Local Intranet" zone to High.
|General cautionary note|
Users are strongly urged to use caution when subscribing to RSS-enabled Web sites.
|Security Rating Using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 4.3 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 3.4 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 3.4 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.