IBM warns of 2 year old flaw in Notes ZIP library
IBM has warned that specially crafted ZIP files with long file names can trigger a buffer overflow in Notes clients on Windows systems, which may enable malicious code to be executed. The user would need to open the file attachment using the built-in view function.
The flaw is contained in the dunzip32.dll library, part of the DynaZip package by InnerMedia, which is also used in a number of other products. RealNetworks, for example, updated their affected RealPlayer product as early as October 2004. Notes versions 5.0.10, 6.0 and 6.5.1 contain a version dated 1999 which is also affected. According to the security bulletin from Juha-Matti Laurio, IBM were informed of and confirmed the existence of the vulnerability as early as November 2004. The flaw had been silently remedied in versions 6.5.5 and 7.0, released in late 2005.
The problem is only now – nearly two years after its discovery – being made public in a coordinated fashion by IBM, Juha-Matti Laurio and US-CERT. No explanation of why this process has taken almost two years has been forthcoming. The attempt to keep the existence of this security vulnerability from the public and affected customers for nearly two years represents a particularly questionable procedure, because others, possibly with malicious intent, could have stumbled across it at any time. To do so, someone who had read the advisories released at the time would only need to cast a glance at the date of their Notes client's ZIP library. This is not what one would call responsible disclosure of security vulnerabilities.
Anyone still using an older 6.x version of the client should certainly update this as soon as possible, or at least implement the workaround recommended by IBM and copy the dunzip32.dll library from a 6.5.5 system onto the affected computer. IBM has not divulged whether this trick will also work with version 5 clients, which are no longer supported. If in doubt, you should disable the ZIP view function or filter out ZIP attachments to a gateway.
- IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability by Juha-Matti Laurio
- InnerMedia DynaZip library vulnerable to buffer overflow via long file names, US-CERT vulnerability note
- IBM Lotus Notes File Viewer Overflow Vulnerability, Technote from IBM