Core Security Discovers Vulnerability in Lotus Notes

Users vulnerable to attack when viewing corrupt Lotus 1-2-3 file attachments

BOSTON -- Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing, today issued an advisory disclosing several vulnerabilities that could severely impact the thousands of organizations using IBM Lotus Notes. The buffer overflow vulnerabilities affect the groupware application and the ability to elicit users to open corrupt email attachments.

The email functionality of Lotus Notes supports previewing and processing file attachments in various formats. A researcher from CoreLabs, the research arm of Core Security, discovered that by exploiting vulnerabilities in the Lotus WorkSheet file processor, an attacker could leverage a specially crafted Lotus 1-2-3 email attachment to remotely execute arbitrary commands and compromise vulnerable systems when users “view” the attachment.

“This is a severe threat to organizations that use Lotus Notes for corporate email communications,” said Ivan Arce, CTO at Core Security Technologies. “The discovery of this vulnerability in the Lotus Notes client underlines, once again, that securing endpoint systems and the applications that run on them is critical and that no vendor is immune to the perils of client application security. Vulnerable organizations should be prepared to quickly deploy the appropriate fixes and workarounds and users of the Lotus Notes client should use caution when presented with unknown file attachments, especially those from unfamiliar senders.”

Core Security Technologies

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5