In association with heise online

02 March 2010, 12:00

Buffer overflow in Lotus iNotes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Lotus iNotes ActiveX control for reading email from within a browser contains a programming error which can result in a buffer overflow. This could be exploited by an attacker to infect an iNotes user with spyware on visiting a crafted web page.

Lotus iNotes, previously known as Lotus Domino Web Access, provides Notes users with web access to their email accounts. To achieve this, it installs an ActiveX control which remains active once used and can then be called by any web site. It thus represents a potential target for attack. IBM does not reveal precisely which versions are affected, but the bug is reported to be fixed in versions 7.0.4 and 8.5. As a work around, the vendor recommends either setting the kill bit for the ActiveX control in question or disabling ActiveX completely.

The problem has an interesting history. iDefense reports that it alerted IBM to the problem in September 2008 – more than 18 months ago. IBM's security alert offers no hint as to why it has taken so long to issue a security warning.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit