Re: Security BugWare Advisory

[Vinci Chou <CaptainBig () bigfoot com>]

irib () bunker freexion net wrote:

>               Whacking A Machine With Lotus Notes Mail
>
> PROBLEM
>
>     SecurityBugware team found following, as posted on 
www.securitybugware.org :
>
>     With a little LotusScript in your mail, you can execute all what 
you want on
>     the recipient's computer - even out of Notes.

< snipped >

This is nothing new and was one of the topic in blackhat.


> SOLUTION
>
>     The only solution is to desactivate the preview,  and  to  
delete  the  memo
>     before reading it.


No.  This is NOT the only solution.  The proper solution is ECL - 
Execution Control List.  ECL is a security control mechanism that is 
available in both R4.6x and R5.x.  Lotus already published an article on 
their website in April 2001 to remind users of the security 
implications.  Go to
http://www.lotus.com/home.nsf/welcome/securityzone
and select
"Lotus Notes Stored Form Vulnerability"
(Stored Form is another way of putting executable codes in a Lotus e-mail).

Vinci