Huge Java hole in Lotus Notes

by Volker Weber

Java embedded in web pages has, for some time now, been criticised as a security issue and automatic execution of JavaScript code when an email is opened can also have unwanted consequences, with information potentially being shared about when and where the email was read. That's why pretty much all email programs turn off both JavaScript and Java when displaying an HTML email - except IBM's Notes.

More >

Und hier in deutscher Sprache >

Comments

Interesting that he mentions manually editing the INI file, given that those settings have been part of the GUI preferences screen for over a decade.

Tim Tripcony, 2013-05-02 20:27

@Tim
What would you do, if you had 3000 (or even more) Notes clients to manage?
Would you walk from client to client to make these settings via GUI?
Or would you set the notes.ini parameters with some sort of management tool?
News like this are intended to be read by IT administrators, not by the end user.

Manfred Wiktorin, 2013-05-02 21:10

This "Management Tool" is called policies (Desktop Settings document, Managed Settings), even Domino has these kind of administration means.
But there are already hotfixes (for 9.0 and 8.5.3.4) out there

Christian Henseler, 2013-05-02 21:19

The discussion has been going on for weeks. Heise just published today.

Volker Weber, 2013-05-02 21:21

IBM has implemented active content filtering for iNotes uesrs. It's a little surprising that they have that covered but don't (er... didn't) have it covered for the Notes client as well.

Richard Schwartz, 2013-05-03 02:31

I don't really understand why this isn't blocked by the client's ECL. Default and "No signature" settings are set to no access at all and still at least the test applet by heise gets executed.

Oliver Regelmann, 2013-05-03 08:03

@Oliver,

not at our clients.

I assume it's blocked by our firewall as the Active.class is loaded from the Heise servers before execution.
We only get a blank square with that little coffee-cup.

Harald Gaerttner, 2013-05-03 09:38

Looks like a storm in a coffee cup to me.

Stephen Bailey, 2013-05-03 16:59

Recent comments

Stefano Benassi on DNUGcomes2me at 13:10
Oliver Regelmann on Notes/Domino: Neues Leben für die Kollaborationsplattform at 22:54
Stuart McKay on DNUGcomes2me at 22:10
Hubert Stettner on Lindt :: Oh yeah at 20:20
Volker Weber on Notes/Domino: Neues Leben für die Kollaborationsplattform at 16:30
Markus Dierker on Notes/Domino: Neues Leben für die Kollaborationsplattform at 16:21
Mark Barton on DNUGcomes2me at 14:37
Lutz Haller on DNUGcomes2me at 14:08
Volker Weber on Lindt :: Oh yeah at 11:52
Andrew Magerman on Lindt :: Oh yeah at 11:02
Lars Berntrop-Bos on Lindt :: Oh yeah at 08:32
Ragnar Schierholz on Lindt :: Oh yeah at 22:42
Stephan H. Wissel on DNUGcomes2me at 17:34
Volker Weber on DNUGcomes2me at 12:05
Henning Heinz on DNUGcomes2me at 10:01
Markus Dierker on DNUGcomes2me at 08:21
Axel Koerv on #dnug45 im darmstadtium at 19:52
Volker Weber on Elgato Eve Flare :: Erste Eindrücke at 19:18
Thomas Cloer on Elgato Eve Flare :: Erste Eindrücke at 17:34
Jochen Kattoll on Sonos, AirPods, Plantronics. Und Podcasts. at 12:40
Stephan Perthes on Elgato Eve Flare :: Erste Eindrücke at 10:49
Oswald Prucker on #dnug45 im darmstadtium at 10:17
Volker Weber on #dnug45 im darmstadtium at 09:44
Ingo Spichal on #dnug45 im darmstadtium at 09:14
Hendrik Brunn on Elgato Eve Flare :: Erste Eindrücke at 23:23

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter amazon

Local time is 23:42

visitors.gif

buy me coffee