In association with heise online

30 March 2007, 14:45

Hole in IBM's Lotus Sametime Web conferencing solution

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider iDefense has reported a critical security hole in IBM's Lotus Sametime web conferencing solution that attackers could exploit to gain control of a PC. The problem occurs because of improper checking of a function of the ActiveX control STJNILoader.ocx that can load additional libraries. Apparently, the path indicated is not verified, allowing just about any library on the system to be exploited. Attackers can use them to load and execute malicious software. However, for the attack to succeed victims not only have to visit a malicious website, but also download and save a specially prepared file.

On the other hand, the file does not have to have any specific ending for the control to load it. In other words, users may think they are saving a perfectly harmless TXT file, when in fact the file they are putting on their system is malicious. Sametime 7.0 with version of the STJNILoader.ocx control is affected. IBM says that Lotus Sametime has been using Java instead of the ActiveX control to initialize Web conferencing since version 7.5. The vendor has provided an update for version 7.0. According to iDefense, Lotus Sametime does not even necessarily have to be completely installed for the attack to succeed; it suffices if the control is on the computer. And if it is missing, the malicious website would prompt the user to install it and even assist in the process. As a workaround, iDefense recommends switching off ActiveX or setting the kill-bit for the control so that it cannot be executed.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit