Huge Java hole in Lotus Notes - Update
IBM's Notes/Domino, an email and workgroup system that is especially popular in large companies, has a huge security problem that should be fixed soon with an update. Even just opening an email could launch the installation of spyware on a Notes user's computer.
"Interim fixes" are now available that fix the problem by disabling these functions. Users can also manually change Notes settings to work around the issue, for example by setting the following variables in the
IBM has given the issue a CVSS base score of 4.3, meaning that it's not believed to be much of a problem, considering the maximum possible score is 10. Alexander Klink of n.runs, who discovered the vulnerability, doesn't agree with IBM's assessment: "Attackers can use this to take over computers with Notes clients. Considering how widely Notes is used by businesses, it's a very attractive target with a high risk potential." Administrators running systems with Lotus Notes should take steps to make their clients safer as soon as possible.
Update: IBM advises The H that it has now shipped an update to this problem. To be exact though it has shipped two interim fixes for Notes 8.5.3 and Notes 9.0 on Windows only. No updates are currently available for Mac or Linux clients; users are advised to "monitor fix availability" for Linux.