Hole in IBM's Lotus Sametime Web conferencing solution
Security service provider iDefense has reported a critical security hole in IBM's Lotus Sametime web conferencing solution that attackers could exploit to gain control of a PC. The problem occurs because of improper checking of a function of the ActiveX control STJNILoader.ocx that can load additional libraries. Apparently, the path indicated is not verified, allowing just about any library on the system to be exploited. Attackers can use them to load and execute malicious software. However, for the attack to succeed victims not only have to visit a malicious website, but also download and save a specially prepared file.
On the other hand, the file does not have to have any specific ending for the control to load it. In other words, users may think they are saving a perfectly harmless TXT file, when in fact the file they are putting on their system is malicious. Sametime 7.0 with version 220.127.116.11 of the STJNILoader.ocx control is affected. IBM says that Lotus Sametime has been using Java instead of the ActiveX control to initialize Web conferencing since version 7.5. The vendor has provided an update for version 7.0. According to iDefense, Lotus Sametime does not even necessarily have to be completely installed for the attack to succeed; it suffices if the control is on the computer. And if it is missing, the malicious website would prompt the user to install it and even assist in the process. As a workaround, iDefense recommends switching off ActiveX or setting the kill-bit for the control so that it cannot be executed.
- IBM Lotus Sametime JNILoader Vulnerability, IBM's security advisory
- IBM Lotus Sametime JNILoader Arbitrary DLL Load Vulnerability, iDefense's security advisory