Lotus Notes has a new headache. Researchers at Core Security Technologies say there is a serious bug in the Autonomy KeyView software used by Lotus Notes to process Lotus 1-2-3 files. Ivan Arce, Core's chief technology officer, says it would not be hard for an attacker to write the code that provides passage into the software. "Previously there have been other flaws like this published for the same software development kit," Arce said. "So anyone keeping track of that could write an exploit pretty quickly."
When Core researchers opened a specially-crafted Lotus 1-2-3 email attachment in Lotus Notes, they found they could run unauthorized software on the PC. This kind of vulnerability is not new, however--it's a kind of flaw called a "file parsing bug." However, there have been improvements in stopping attacks that take advantage of such bugs, which are called "fuzzers." They send a barrage of data to programs in order to see if they can be made to act in unexpected ways.
IBM disclosed this problem in a Nov. 26 security alert, and the company is offering a software patch for Notes 7 users. For those using an older version of Notes, IBM has suggested several workarounds, including deleting the Windows DLL (dynamic link library) file that is associated with Notes.
For more on this software bug:
- See this ComputerWorld article
