=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN273
_____________________________________________________________________

DATE                      : 28/07/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Lotus Notes.

======================================================================
http://www-01.ibm.com/support/docview.wss?uid=swg21440812
______________________________________________________________________

(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers
 Flash (Alert)

Abstract
iDefense Labs, Secunia, and TippingPoint's Zero Day Initiative (ZDI) contacted
IBM Lotus to report potential buffer overflow vulnerabilities in several Lotus Notes
file viewers.

Content

In specific situations, arbitrary code could potentially be executed when the
following types of attachments are viewed in Notes:

    * Lotus 1-2-3 Spreadsheet
    * Microsoft Office Spreadsheet
    * Microsoft Office Word
    * Microsoft Word 2.0
    * OLE document
    * QuattroPro speed reader
    * WordPerfect 5


To exploit these vulnerabilities, an attacker would have to send a specially
crafted file attachment to users, and then users would have to double-click the
attachment and select "View".

The specific issues vary depending on attachment type; however, they are all related
in how the buffer overflow denial-of-service could be accomplished. In all cases, the
issues involve viewing a malicious attachment from a Notes client on a Windows-based
machine. Domino servers are not impacted.

Refer to the tables in the "Additional Information" section below for more information
on each issue, including the name of the vulnerable .dll files, the Lotus SPR tracking
numbers, and fix availability for each code stream. You can also find related information
on the Web sites of the security researchers who discovered the issues:

    * iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/
    * Secunia: http://secunia.com/advisories/
    * TippingPoint's ZDI: http://zerodayinitiative.com/advisories


Recommended Fix

These issues have been investigated by IBM Lotus and the technology vendors involved.
To address the issues, customers are encouraged to apply the following Fix Packs:

    * 8.0.2 Fix Pack 6 (Available on Fix Central as of July 26, 2010; release notice)
    * 8.5.1 Fix Pack 4 (Available on Fix Central by August 4, 2010; preliminary release notice)


For customers unable to apply these Fix Packs, IBM Lotus is providing a
self-extracting .zip file with script to apply a single, cross-version patch
for Notes 8.5.1.x, 8.0.x, and 7.0.x. The patch is now availble for download from
Fix Central (a direct download link is provided below). See the Workarounds section
or more details.


Workarounds

For Notes 8.5.x, 8.0x, and 7.x

Option 1: Download and apply the patch Keyview_Security_patch0719.exe from Fix Central.

This single patch has contents that apply to Notes 8.5.1, 8.0x, and 7.0x so it
can be run on a client machine with any of these releases. The script will determine
the correct version and then apply the patches into the Notes Program or MUI directory.

This patch does not interfere with existing hotfixes, Interim Fixes, Cumulative Client Hotfixes,
Fix Packs, or Maintenance Releases, and it does not revise the Notes version string. Customers
who want to confirm the patch has been applied can examine the file date or apply a Fix Pack
that contains the fixes.

Instructions for running the patch:

1) Place the downloaded patch (Keyview_Security_patch0719.exe) on the desired machine or
network drive.

2) Shut down the Notes client to ensure KeyView files to be replaced are not in memory.

3) Run Keyview_Security_patch0719.exe as Administrator

While the patch is running a dialog will appear briefly as the files are being extracted
and, upon completion, the following dialog will appear:

*** TIP ***: An alternative method for deploying the patch is described in the following
Wiki article: "How to deploy non-versioned patches via Smart Upgrade"


Option 2: Disable the affected file viewers by following one of the options in the
"How to disable viewers within Lotus Notes" section of this technote.


For Notes 6.x:

The KeyView viewer technology has advanced considerably since Notes 6.5. Due to these
advancements, we are recommending that customers upgrade to a later release as the
long term solution to avoid exposure to vulnerabilities. As further issues are discovered,
the solution for customers running Notes 6.5 (and in some cases Notes 7) will be to disable
KeyView or particular modules impacted, until an upgrade can occur. As a guideline, providing
KeyView security solutions on releases that have been in market longer than 5 years will
not be possible.

Option 1: Upgrade to a later release.

- or -

Option 2: Disable the viewer as described in the "Options to disable viewers within Lotus Notes"
section of this technote.

For Notes 5.x


Disable the affected file viewers by following one of the options in the "How to disable viewers
within Lotus Notes" section of this technote. There is no software fix available for the
Notes 5.x code stream.


Options to disable viewers within Notes

Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will
display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog
box will display with the message "The viewer display window could not be initialized." All other
file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific
file type, a dialog box will display with the message "The viewer display window could not be
initialized."

Example:
[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================