In association with heise online

02 May 2013, 17:30

Huge Java hole in Lotus Notes - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Notes logo IBM's Notes/Domino, an email and workgroup system that is especially popular in large companies, has a huge security problem that should be fixed soon with an update. Even just opening an email could launch the installation of spyware on a Notes user's computer.

Java embedded in web pages has, for some time now, been criticised as a security issue and automatic execution of JavaScript code when an email is opened can also have unwanted consequences, with information potentially being shared about when and where the email was read. That's why pretty much all email programs turn off both JavaScript and Java when displaying an HTML email – except IBM's Notes.

After hearing from a third-party security expert, however, IBM has now also realised that designing Notes clients to load and execute JavaScript code and even Java applets from external servers without asking for any permission presents a security risk – especially since Lotus Notes uses a Java environment that is already known for its highly critical security holes (IBM Java 6 SR12).

"Interim fixes" are now available that fix the problem by disabling these functions. Users can also manually change Notes settings to work around the issue, for example by setting the following variables in the notes.ini file:


IBM has given the issue a CVSS base score of 4.3, meaning that it's not believed to be much of a problem, considering the maximum possible score is 10. Alexander Klink of n.runs, who discovered the vulnerability, doesn't agree with IBM's assessment: "Attackers can use this to take over computers with Notes clients. Considering how widely Notes is used by businesses, it's a very attractive target with a high risk potential." Administrators running systems with Lotus Notes should take steps to make their clients safer as soon as possible.

Update: IBM advises The H that it has now shipped an update to this problem. To be exact though it has shipped two interim fixes for Notes 8.5.3 and Notes 9.0 on Windows only. No updates are currently available for Mac or Linux clients; users are advised to "monitor fix availability" for Linux.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit