(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers

Technote (troubleshooting)


Problem

iDefense Labs, Secunia, and TippingPoint's Zero Day Initiative (ZDI) contacted IBM Lotus to report potential buffer overflow vulnerabilities in several Lotus Notes file viewers.

(Original publish date July 27, 2010. See "Change History" below.)

Resolving the problem

In specific situations, arbitrary code could potentially be executed when the following types of attachments are viewed in Notes:

  • Lotus 1-2-3 Spreadsheet
  • Microsoft Office Spreadsheet
  • Microsoft Office Word
  • Microsoft Word 2.0
  • OLE document
  • QuattroPro speed reader
  • WordPerfect 5

To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and then users would have to double-click the attachment and select "View".

The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted.

Refer to the tables in the "Additional Information" section below for more information on each issue, including the name of the vulnerable .dll files, the Lotus SPR tracking numbers, and fix availability for each code stream. You can also find related information on the Web sites of the security researchers who discovered the issues:


Recommended Fix

These issues have been investigated by IBM Lotus and the technology vendors involved. To address the issues, customers are encouraged to apply the following Fix Packs:

  • 8.0.2 Fix Pack 6 (Available on Fix Central as of July 26, 2010; release notice)
  • 8.5.1 Fix Pack 4 (Available on Fix Central as of August 4, 2010; release notice)

For customers unable to apply these Fix Packs, IBM Lotus is providing a self-extracting .zip file with script to apply a single, cross-version patch for Notes 8.5.1.x, 8.0.x, and 7.0.x. The patch is now availble for download from Fix Central (a direct download link is provided below). See the Workarounds section for more details.


Workarounds

** IMPORTANT UPDATE** A new patch named "Keyview_Security_patch0921.exe" was posted to Fix Central on Sept. 22nd, 2010. The only change between the new patch and the original one is the addition of the environment variable "KVPATCHER_UIMODE". By default KVPATCHER_UIMODE is disabled (set to "0"), which means that a success prompt will not display at the end of the install. See the instructions below for more details.

For Notes 8.5.x, 8.0.x, 7.x

Option 1: Download and apply the patch Keyview_Security_patch0921.exe from Fix Central.

This single patch has contents that apply to Notes 8.5.1, 8.0x, and 7.0x so it can be run on a client machine with any of these releases. The script will determine the correct version and then apply the patches into the Notes Program or MUI directory.

This patch does not interfere with existing hotfixes, Interim Fixes, Cumulative Client Hotfixes, Fix Packs, or Maintenance Releases, and it does not revise the Notes version string. Customers who want to confirm the patch has been applied can examine the file date or apply a Fix Pack that contains the fixes.

Instructions for running the patch:

1) Place the downloaded patch (Keyview_Security_patch0921.exe) on the desired machine or network drive.

2) Shut down the Notes client to ensure KeyView files to be replaced are not in memory.


3) Run Keyview_Security_patch0921.exe as Administrator (a dialog will appear briefly as the files are being extracted).

By default, the install runs silently without displaying a success prompt at the end. If you want the success prompt shown below to appear, then you must issue the following two commands at the command prompt:

> Set KVPATCHER_UIMODE=1
> LotusNotesKeyviewUpdate.exe




*** TIP ***: An alternative method for deploying the patch is described in the following Wiki article: "How to deploy non-versioned patches via Smart Upgrade"


Option 2: Disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote.

Fox Notes 6.x

The KeyView viewer technology has advanced considerably since Notes 6.5. Due to these advancements, we are recommending that customers upgrade to a later release as the long term solution to avoid exposure to vulnerabilities. As further issues are discovered, the solution for customers running Notes 6.5 (and in some cases Notes 7) will be to disable KeyView or particular modules impacted, until an upgrade can occur. As a guideline, providing KeyView security solutions on releases that have been in market longer than 5 years will not be possible.

Option 1: Upgrade to a later release.

- or -

Option 2: Disable the viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.

For Notes 5.x
Disable the affected file viewers by following one of the options in the "How to disable viewers within Lotus Notes" section of this technote. There is no software fix available for the Notes 5.x code stream.


Options to disable viewers within Notes
Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out


Additional Information

Note: All potential vulnerabilities are investigated to understand the issue and the required fix. However, in some cases, due to significant architectural enhancements in the product there may be cases where a workaround will be the only option.

Lotus 1-2-3 Spreadsheet (wkssr.dll)


CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered
by

CVE-2010-0131

PRAD83F4CU

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia

CVE-2010-0133
&
CVE-2010-1525

PRAD83M2UM

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia

CVE-2010-1524

PRAD83ML59

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia


Microsoft Office Spreadsheet (wkssr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes
8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

Unknown

PRAD8225G4

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI

Unknown

PRAD8225K3

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI


Microsoft Office Word (kpmsordr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

Unknown

PRAD8225BX

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI


Microsoft Word 2.0 (mwsr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered
by

Unknown

PRAD82255P

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

TippingPoint's ZDI


OLE document (kvolefio.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered
by

CVE-2009-3032

PRAD7WK4NV

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP4

Fixed in
8.5.1 FP1

Fix Included

iDefense


QuattroPro speed reader (qpssr.dll)

CVE#

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

CVE-2010-0126

PRAD837LDA

Workaround
Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia


WordPerfect 5 (wosr.dll)

CVE #

SPR #

Notes
6.5.x

Notes 7.x

Notes 8.0.x

Notes 8.5.1

Notes 8.5.2

Discovered by

CVE-2010-0135

PRAD83M367

Workaround Avail

Patch Avail

Fixed in
8.0.2 FP6

Fixed in
8.5.1 FP4

Fix Included

Secunia


General cautionary note


Users are strongly urged to use caution when opening or viewing unsolicited file attachments.

Attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.



Security Rating Using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.3 >
---- Impact Subscore: < 10 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.3 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.3 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.



Change History
22 September 2010 Added information on new patch named Keyview_Security_patch0921.exe. Removed references to old patch named Keyview_Security_patch0719.exe
27 July 2010 First published.

Related information

Domino and Notes 8.5 - KeyView filter formats supported
Domino and Notes 8.5.1 - KeyView filter formats support

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Notes
Editor

Software version:

5.0, 6.5.6, 7.0, 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1

Operating system(s):

Windows

Reference #:

1440812

Modified date:

2010-09-22

Translate my page

Machine Translation

Content navigation