=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN461
_____________________________________________________________________

DATE                      : 28/11/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows running Lotus Notes clients.

======================================================================
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21285600
______________________________________________________________________


Buffer overflow vulnerability in Lotus Notes file viewer for Lotus 1-2-3
attachments

Technote (FAQ)

Question

Sebastián Muñiz from the CORE IMPACT Exploit Writers Team (EWT) at Core
Security Technologies contacted IBM® Lotus® to report a potential
keyview buffer overflow vulnerability in Lotus Notes® when viewing a
Lotus 1-2-3 (.123 extension) file attachment. In specific situations it
was found that the possibility exists to execute arbitrary code.


To successfully exploit this vulnerability, an attacker would need to
send a specially crafted Lotus 1-2-3 file attachment to users, and the
users would then have to double-click and View the attachment.


The advisory will be available at the following URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2008

Answer

This issue was reported to Quality Engineering as SPR# PRAD777KP, and we
  have received a software update from the technology vendor involved.
You must contact IBM Support to obtain the patch, which is available for
  Notes 7.x and 8.x client versions.
Note: The issue impacts only Windows-based Notes clients; it does not
impact the Domino server.

Workarounds for Notes 7.x and 8.x client versions:

Option 1: Contact IBM Support to obtain the patch for the Notes client.

Option 2: Alternately, you can disable the affected file viewer by
following one of the options in the "How to disable viewers within Lotus
Notes" section of this technote.


Workaround for Notes 6.x client versions:

We are currently working with the technology vendor involved to
investigate options for the Notes 6.x client versions. This section will
be updated with more information by November 30th. Until a final
solution is determined, you can disable the affected file viewers by
following one of the options in the "How to disable viewers within Lotus
Notes" section of this technote.


Workaround for Notes 5.x client versions:

If you are interested in protecting yourself from this vulnerability, we
recommend disabling the viewers as described in the "How to disable
viewers within Lotus Notes" section of this technote. There is no
software fix available for the Notes 5.x client version.


How to disable viewers within Notes:

Option 1 : Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message "Unable to locate the viewer
configuration file."

Option 2 : Delete or rename the problem DLL file, which in this case is
l123sr.dll. Be aware that the DLL file name starts with lowercase "L".
When a user tries to view a 123 spreadsheet file type, a dialog box will
display with the message "The viewer display window could not be
initialized." All other file types work without returning the error
message.

Option 3 : Comment out specific lines in keyview.ini for any references
to the problem file (dll). To comment a line, you precede it with a
semi-colon (;). When a user tries to view the specific file type, a
dialog box will display with the message "The viewer display window
could not be initialized."

For example:

[KVWKBVE]
;81.2.0.5.0=l123sr.dll
;81.2.0.9.0=l123sr.dll


Additional Background

In general, users are strongly urged to use caution when opening or
viewing unsolicited file attachments.

The attachments will not auto-execute upon opening or previewing the
email message; the file attachment must be opened by the user using one
of the mentioned file viewers. In some cases, further user action is
also required to trigger the exploit.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================