(May 2011) Fixes for potential security vulnerabilities in Lotus Notes file viewers

In specific situations, arbitrary code could potentially be executed when the following types of attachments are viewed in Notes:

• LZH archive
• RTF document
• Applix Spreadsheets
• Microsoft Excel document
• Microsoft Office document
• Lotus Notes .prz file
• Lotus Notes .zip file

To exploit these vulnerabilities, an attacker would have to send a specially crafted file attachment to users, and then users would have to double-click the attachment and select "View".

The specific issues vary depending on attachment type; however, they are all related in how the buffer overflow denial-of-service could be accomplished. In all cases, the issues involve viewing a malicious attachment from a Notes client on a Windows-based machine. Domino servers are not impacted.

Refer to the tables in the "Additional Information" section below for more information on each issue, including the name of the vulnerable .dll files, the IBM SPR tracking numbers, and fix availability for each code stream. You can also find related information on the Web sites of the security researchers who discovered the issues:

• iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/
• CoreLabs Research: http://www.coresecurity.com/content/corelabs-advisories
• IBM Internet Security Systems: http://xforce.iss.net

Recommended Fix

These issues have been investigated by IBM and the technology vendors involved. To address the issues, customers are encouraged to apply one of these Fix Packs:

• Interim Fix 1 for Notes 8.5.2 Fix Pack 2 (Available on Fix Central as of May 25, 2011. See technote 1500632 for download links and more info)

• 8.5.2 Fix Pack 3

• 8.5.3

Workarounds

For Notes 8.5.2.x

Option 1: Upgrade to Interim Fix 1 for Notes 8.5.2 Fix Pack 2. See technote 1500632 for download links and more information..

- or -

Option 2: Apply patch detailed below in " Self-extracting patch" section.

- or -

Option 3: Disable viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.


For Notes 8.5.1. x and 8.0.x

Option 1: Apply patch detailed below in " Self-extracting patch" section.

- or -

Option 2: Disable viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.


For Notes 7.x, 6.x, and 5.x

Disable viewer as described in the "Options to disable viewers within Lotus Notes" section of this technote.

Self-extracting patch

Fix Central ID	Filename & download link
Notes_Keyview_Security_Fixes_06062011	Keyview_Security_patch06062011.exe

** IMPORTANT NOTE ** There is an environment variable "KVPATCHER_UIMODE". By default KVPATCHER_UIMODE is disabled (set to "0"), which means that a success prompt will not display at the end of the install. See the instructions below for more details.


Instructions for running the patch:

1) Place the downloaded patch on the desired machine or network drive.

2) Shut down the Notes client to ensure KeyView files to be replaced are not in memory.

3) Run Keyview_Security_patch-06062011.exe as Administrator (a dialog will appear briefly as the files are being extracted).

By default, the install runs silently without displaying a success prompt at the end. If you want the success prompt shown below to appear, then you must issue the following two commands at the command prompt:

> Set KVPATCHER_UIMODE=1
> LotusNotesKeyviewUpdate.exe




*** TIP ***: An alternative method for deploying the patch is described in the following Wiki article: " How to deploy non-versioned patches via Smart Upgrade"


Additional details about the patch

• This single cross-version patch will apply to Notes 8.5.2.x, 8.5.1.x, and 8.0.x so it can be run on a client machine with any of these releases.

• The script will determine the correct version and then apply the patches into the Notes Program or MUI directory.

• The patch will not interfere with existing hotfixes, Interim Fixes, Cumulative Client Hotfixes, Fix Packs, or Maintenance Releases, and it will not revise the Notes version string. Customers who want to confirm the patch has been applied can examine the file date.

Options to disable viewers within Notes

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out

Additional Information

Note: All potential vulnerabilities are investigated to understand the issue and the required fix. However, in some cases (as is this one), due to significant architectural enhancements in the product there may be cases where a workaround will be the only option. Refer back to the above section for the workaround option for Notes 5.x, 6.x, and 7.x.

Discovered by CoreLabs Research

CVE #	SPR #	File viewer / vulnerable DLL	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Notes 8.5.3
CVE-2011-1512 and CVE-2011-1213	PRAD8E3HKR	Excel Document xlssr.dll	Patch	Patch	IF1 for 852FP2 Patch 852FP3 (ETA Q3)	Fix Included

Discovered by iDefense Labs

CVE #	SPR #	File viewer / vulnerable DLL	Notes 8.0.x	Notes 8.5.1	Notes 8.5.2	Notes 8.5.3
CVE-2011-1214	PRAD88MJ2W	LZH archive file format lzhsr.dll	Patch	Patch	IF1 for 852FP2 Patch 852FP3 (ETA Q3)	Fix Included
CVE-2011-1215	PRAD8823JQ	RTF Attachment Viewer rtfsr.dll	Patch	Patch	Not vulnerable	Fix Included
CVE-2011-1216	PRAD8823ND	Office Document mw8sr.dll	Patch	Patch	IF1 for 852FP2 Patch 852FP3 (ETA Q3)	Fix Included
CVE-2011-1217	PRAD8823A7	Applix Spreadsheets assr.dll	Patch	Patch	IF1 for 852FP2 Patch 852FP3 (ETA Q3)	Fix Included
CVE-2011-1218	RAD8E3NKZ	Lotus Notes .prz file format kpprzrdr.dll	Patch	Patch	IF1 for 852FP2 Patch 852FP3 (ETA Q3)	Fix Included
CVE-2011-1219	PRAD8E3NSP	Lotus Notes .zip File format kvarcve.dll	Patch	Patch	IF1 for 852FP2 Patch 852FP3 (ETA Q3)	Fix Included

General cautionary note

Users are strongly urged to use caution when opening or viewing unsolicited file attachments.

Attachments will not auto-execute upon opening or previewing the email message; the file attachment must be opened by the user using the mentioned file viewers. In some cases, further user action is also required to trigger the exploit.

Security Rating using Common Vulnerability Scoring System (CVSS) v2

CVSS Base Score: < 9.3 > ---- Impact Subscore: < 10 > ---- Exploitability Subscore: < 8.6 > CVSS Temporal Score: < 7.3 > CVSS Environmental Score: < Undefined* > Overall CVSS Score: < 7.3 >

Base Score Metrics: Related exploit range/Attack Vector: < Network > Access Complexity: < Medium > Authentication < None > Confidentiality Impact: < Complete > Integrity Impact: < Complete > Availability Impact: < Complete >

Temporal Score Metrics: Exploitability: < Proof of Concept Code> Remediation Level: < Official Fix > Report Confidence: < Confirmed >

References: CVSS v2 Complete Documentation CVSS v2 Online Calculator

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

---

Change History
17 Jun 2011	Added download link to patch on Fix Central
01 Jun 2011	Added CVE numbers
25 May 2011	Added link to readme technote for Interim Fix 1 for 852FP2
24 May 2011	Changed ETA for Interim Fix 1 for 852FP2 to May 25th
24 May 2011	Initial publication