Lotus Notes RSS reader unsafe

by Volker Weber

The vulnerability is universal. You don't need any exploit. Notes downloads HTML code embedded into the RSS feed, dumps it into the file system and asks Internet Explorer to interpret it. Since the file is local, IE treats it as local code. From there you can do pretty much everything that is possible with Javascript, Flash or other embedded code.

Interesting time line:

2009/04/07 Identification of the vulnerability.
2009/04/23 Notification of IBM via the customer.
2009/04/23 Technical knowhow exchange between scip AG/IBM.
2009/06/05 Asking for current status by scip AG. (no answer)
2009/07/09 Asking for current status by scip AG.
2009/07/09 Reply with current status and assigned PMR.
2009/08/24 Asking for current status by scip AG. (no answer)
2009/09/08 Public disclosure of the advisory.

Published by IBM today. If you need to fix, you have to contact IBM Support.


this might be a stupid question but if you have to log a call wont you need a support contract ? or does that not apply to security fixes

Flemming Riis, 2009-09-18 19:43

Another stupid question - HTML formatted emails are rendered by Internet Exploder too.

That must also be done in the local context. If you have ever printed an HTML email from Notes 8+ you will know that you get the standard IE print header and footer complete with the local URL in the footer.

Someone please tell me there isn't a code execution possibility right there.

Chris Linfoot, 2009-09-18 20:20

Best bet is to open a call and find out. (I am not sure if you can or not). Either way there are 3 other options you can do in the meantime.

By the way. The Technote was not published today (only updated today). It was posted before scip AG posted the exploit publicly.

Simon O'Doherty, 2009-09-18 20:23

@Chris - Actually, HTML formatted emails as "cleaned up" first to prevent malicious code. The cleanup may not be perfect, but it is a different scenario.

Ben Langhinrichs, 2009-09-18 20:24

@Ben is that clean up exactly documented somewhere?

Jan-Piet Mens, 2009-09-18 20:39

@Chris, @Ben,

I fear you are both missing the point. The problem is that the Notes RSS reader, dumps the HTML into a local file on the user's PC. When IE is then invoked to render that local file, it does so outside its sandbox.

When IE, as a browser, renders HTML received from an HTTP source, it does so in its sandbox. Now one could argue about how effective that sandbox is, but that is a whole other issue!

Nick Shelness, 2009-09-19 09:45

@Nick: Neither Chris nor Ben talked about HTML from an HTTP source, but from HTML included in formatted mails from outside. I think it's not too unlikely the same happens with them.

But BTW: isn't that what every other local RSS reader application would do?

Oliver Regelmann, 2009-09-19 20:34

No, they don't. It's a very basic design failure. Other feed readers like FeedDemon use the proper Internet sandbox.

If you start digging around in the "standard" client outside of what used to be Notes, you will find lots of stuff that will lead to more security discussions. Code signing, ECL etc don't exist there. And you are supposed to turn malware protection off in this space, so that performance does not suffer.

Volker Weber, 2009-09-19 20:51

Well, who's to bless & who's to blame ? One of the biggest questions on opening the Notes Client to the Eclipse platform for me was about security of plugins. The monolitic C++ Notes Client was much less vulnarable to lazy programmers than the open Eclipse platform is. That IBM itself had to prove that is some sort irony to me. Eclipse is a blessing and a curse - flexibilty and openness always means responsibility... . And - don't get me wrong - even with this, I appreciate the way, IBM is heading with Notes 8.x, Eclipse and Expeditor.

Heiko Voigt, 2009-09-19 22:48

It's probably a matter of trust. If you want to use widgets, you have to trust them. If you can't trust a plugin from IBM, whom do you want to trust? The RSS widget is a perfect malware dropper. Access to the local file system, ability to run processes in user space.

Volker Weber, 2009-09-19 23:04

@Vowe: So when I use a feedreader with offline capabilities (I think most of the popular do), I would load the HTML from the local file system as well?

Stephan H. Wissel, 2009-09-21 05:03

Lotus Notes RSS reader is a joke anyway.

Roman Kopac, 2009-09-30 13:54

Recent comments

Frank Koehler on BlackBerry Q10 für 150 € at 18:58
Manfred Wiktorin on Lumia Denim starts rolling out in Europe at 14:20
Maikel Maes on iPhone Case at 08:46
Stefan Tilkov on Le calendrier 2015 d'Aubade est arrivé at 23:45
Frank Koehler on Classic Voucher at 21:33
Armin Auth on Lumia Denim starts rolling out in Europe at 09:40
Torsten Rausche on Lumia Denim starts rolling out in Europe at 00:30
Hubert Stettner on Lumia Denim starts rolling out in Europe at 23:15
Hubert Stettner on 500 miles in 50 days at 23:12
Hubert Stettner on Steve Litchfield: the age of Nokia imaging supremacy is over at 23:09
Wolfgang Exler on Lumia Denim starts rolling out in Europe at 22:31
Peter Meuser on Classic launch in 3 ... 2 ... 1 ... at 10:01
Volker Weber on Classic launch in 3 ... 2 ... 1 ... at 09:44
Peter Meuser on Classic launch in 3 ... 2 ... 1 ... at 09:34
Abdelkader Boui on Classic launch in 3 ... 2 ... 1 ... at 00:17
Volker Weber on Classic launch in 3 ... 2 ... 1 ... at 23:31
Abdelkader Boui on Classic launch in 3 ... 2 ... 1 ... at 23:30
Ralph Hammann on Classic Voucher at 20:29
Volker Weber on Classic Voucher at 20:27
Abdelkader Boui on Classic Voucher at 20:24
Craig Wiseman on Classic launch in 3 ... 2 ... 1 ... at 18:14
Jens Nullmeyer on Classic launch in 3 ... 2 ... 1 ... at 17:55
John Lindsay on Bob Hoover Accepts Wright Trophy at 16:38
Philipp Münzel on Bob Hoover Accepts Wright Trophy at 16:31
Ingo Seifert on Bob Hoover Accepts Wright Trophy at 14:34

Ceci n'est pas un blog

vowe.net is a personal website published by Volker Weber a.k.a. vowe. I am an author, consultant and systems architect based in Darmstadt, Germany.

rss Click here to subscribe


About me
Amazon Wish List
Frequently Asked Questions
Follow @vowe on Twitter

Local time is 18:58


Tip jar


As most of my articles roll off the front page rather quickly, I am making an archive of previous posts available here. You can also use the handy search box at the top of the page if you are looking for something particular.

Last 30 days
More archives

Mobile tag for this page

© 1992-2014 Volker Weber.
All Rights Reserved.