Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Lotus Notes Vulnerable to WMF 0-Day Exploit

Published: 2006-01-04
Last Updated: 2006-01-04 02:28:56 UTC
by Scott Fendley (Version: 3)
0 comment(s)

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.

Update December 30, 2005

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

"1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open... or View... picture files from untrusted sources.
"

Thanks for that information Juha-Matti.

Update January 04, 2006

IBM has released an advisory that states the following:
"Lotus Notes allows users to optionally "View" or "Open" file attachments contained in email messages and documents. These attachments do not auto-launch or execute without user action."  Their recommendation is to follow the recommendations from Microsoft and apply the patch when available.  http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21227004

--
Scott Fendley
Handler on Duty


Keywords:
0 comment(s)
Diary Archives