Lotus Notes fumbles JavaScript in RSS feeds
If you get a file with potentially dangerous JavaScript from an unknown source, what is the stupidest thing you can do with it? Well, you could store the script locally and then open it in Internet Explorer on a normal system. The browser would then install the script locally and run it in the local security zone. Practically everything in this case, including all local files, could be read, and complete spy programs could be downloaded from the Internet and launched.
And that is exactly what Lotus Notes does with embedded JavaScript via its embedded RSS feed reader. So if you have subscribed to a potentially malicious RSS feed, you have a serious security hole on your hands. IBM's reaction, which can be followed on the time line in the disclosure, is interesting. Last April, the Swiss firm Scip informed the IT giant about the problem. The Swiss say that they wrote again in August and still did not receive an answer, so they went ahead and described the problem on a security website.
A few days later, IBM responded by confirming that the problem affects the standard configuration of IBM Lotus Notes 8.x. The company said that a patch is available, but you have to submit a Service Request to IBM Support in order to get it. The flaw has reportedly been remedied in version 8.5.1, which the Notes/Domino Fix List says users can expect in October.
See also:
- IBM Lotus Notes 8.5 RSS Widget extended rights, Description by scip AG (in German).
- Response to 'IBM Lotus Notes 8.5 RSS Widget Privilege Escalation', Response from IBM.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
