Security Bulletin: Vulnerability in IBM Lotus Symphony related to graphic objects loading (CVE-2012-0192)
An integer overflow vulnerability in the IBM Lotus Symphony visual class Library module (vclmi.dll) could allow a remote attacker to cause a denial of service (application crash) or potentially execute arbitrary code on vulnerable installations of Lotus Symphony.
CVE ID: CVE-2012-0192
DESCRIPTION: Various graphic objects, such as JPEG and PNG images, can be embedded within Lotus Symphony documents. Due to an integer overflow vulnerability in the visual class library module (vclmi.dll) used by Lotus Symphony, it might be possible for a remote attacker to cause a denial of service or potentially execute arbitrary code on the system. For a remote attacker to exploit this vulnerability, the following steps must be accomplished:
- The attacker needs to create a malicious document file containing a specially-crafted embedded graphic object, and host that file on a web site or send it to potential users as an email attachment.
- User must be persuaded to open the malicious document in vulnerable versions of Lotus Symphony.
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/72424 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
All Lotus Symphony platforms.
REMEDIATION: This issue has been addressed in Lotus Symphony 3.0.1. Users are encouraged to upgrade to the latest release. (See Below)
Vendor Fixes: Users can download and upgrade to latest Lotus Symphony release at
To work around the described issue, do not load documents from untrusted sources.
Mitigation ( s ): None known, apply fix.
ACKNOWLEDGEMENT: The vulnerability was reported to IBM by Tielei Wang via Secunia SVCRP
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.