Vulnerability in Notes 7 and 8 through file viewer

by Volker Weber

Several vulnerabilities have been discovered in Autonomy’s Verity KeyView SDK which affects Notes (and most likely other applications as well). What I find disturbing is this:

Although these specific vulnerabilities exist on a third–party component the problem is compound by the way Lotus Notes displays information about attachments, making it easier to elicit unsuspecting assistance from the users to exploit them. Lotus Notes displays the file type and corresponding icon based on the attached file’s extension rather than the MIME Content-Type header in the email whereas the view functionality is handled by the Verity KeyView component which processes the attachment based on the file contents. Exploitation of these vulnerabilities requires end-user interaction but the discrepancy described above could allow an attacker to send a malicious Lotus 1-2-3 file as an attachment with a seemingly innocuous extension (for example, .JPG or .GIF) that more easily lure users into viewing it thus making it easier to succeed in the exploitation attempt.

Shouldn't this be fixed by IBM?

More >

Comments

There is a fix available provided by IBM. So the anwser would be yes.

Vitor Pereira, 2007-11-28

Vitor, the fix will be plugging the vulnerability. But I seriously doubt that it also makes Notes use the MIME content header.

Volker Weber, 2007-11-28

The mismatch between how the icon and viewers are chosen should definitely be addressed by IBM. That a third party component has a vulnerability like this is unfortunate but hardly IBM's fault. I have never used a 123 file other than for importing and exporting data to/from Notes, so I'm about as concerned about this as I am of my nonexistent iPhone getting bricked by the latest firmware. :-p

Charles Robinson, 2007-11-28

I have used 1-2-3, but it's been a while. Notice my post is about the MIME thing, not about the Keyfile viewers. And actually, you should be concerned, because you won't know you are opening a 1-2-3 file. On the other hand, what are the chances. ;-)

Volker Weber, 2007-11-28

You mean you actually wanted them to make Notes use the MIME content header? You're kidding right?

Vitor Pereira, 2007-11-28

So you suggest Notes should display the icon corresponding to the MIME header? In this case I guess there'll be a lot of support calls about Notes displaying the "wrong" icon.

Anyway, I don't see how a jpg icon would more easily lure a user to view the attachment than a 1-2-3 icon. Instead a user might "view" the wks just because he doesn't have the application installed.

Oliver Regelmann, 2007-11-28

Vitor, not kidding. Please explain ...

Volker Weber, 2007-11-28

I meant MIME is a relatively new technology it takes some time to incorporate. Must. Be. Patient ;-)

Vitor Pereira, 2007-11-28

It looks like I have been had. :-)

Volker Weber, 2007-11-28

How would using the MIME type help?

"... the Verity KeyView component which processes the attachment based on the file contents"

As I read this, and as I recall from past experiences, the KeyView code actually looks at the bits and says "hmmm... this looks like a 1-2-3 file". If that's true, you could lie about the MIME type just as easily as you lie about the file extension.

Richard Schwartz, 2007-11-29

Vitor, MIME was first defined as a specification in 1987 and was further refined throughout the early 90's (see this rundown). I think roughly 20 years qualifies as mature enough to be fully implemented. :-)

Richard, it's not perfect, but it's better than what we have now and could be implemented relatively easily. Anyone in the world can rename a file but it takes a bit more effort and knowledge to craft a MIME header. As you say, a better solution is for Notes to actually look at the contents of the file rather than making any assumptions. That's a much bigger change.

Charles Robinson, 2007-11-29

Charles, Vitor is well aware. ;-)

Volker Weber, 2007-11-29

I think Charles has been had too :-)

Vitor Pereira, 2007-11-29

Bah. What happened to speaking plainly and just saying what you mean? I don't have the patience for subtlety. :-p

Charles Robinson, 2007-11-29

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe