Archive for April, 2010
IBM patches Lotus Notes 1-2-3 security flaws
After IBM unearthed vulnerabilities in a 3rd party component of Lotus 1-2-3, IBM released a patch that is used for security flaws in its Lotus Notes that are highly critical.
Core Security Technologies issued a security advisory which says that a buffer overflow is triggered when users open a malicious file attachment as Lotus 1-2-3 tries to process the Lotus Worksheet file format. A malicious attacker could take control of a user’s system via remote, then execute arbitrary code.
Core Advisory noted that “Although these specific vulnerabilities exist on a third-party component, the problem is compounded by the way Lotus Notes displays information about attachments, making it easier to elicit unsuspecting assistance from the users to exploit them.”
As an example, these attackers could send a malicious Lotus 1-2-3 file attachment with a common extension of .jpg or .gif, instead of a MIME Content-type e-mail header.