Re: Another new worm???

[edurflinger () CORNINGDATA COM (edurflinger () CORNINGDATA COM)]

Lotus Notes can be locked down incredibly tightly. Here are a few items
that answer the concerns below:

* Fetching email to a remote client takes place via 'replication'.  Under
the 'Replication -> Settings' menu, you have the option to retrieve the
headers and first 40K of 'rich text' only.  This doesn't help you, however,
if you're reading your mail file directly from the server.
* Programs running on the server (known as 'unrestricted agents', including
LotusScript, JavaScript, or Java) only run under the authority of the user
and have no ability (yeah yeah, no known ability) to break out of that
restriction. Users must be specifically enabled to be able to run
unrestricted code.
* Every client features an 'execution control list' which determines those
program elements allowed to run freely on the client end.  These ECL
workstation setting can be managed centrally from the Notes administrator
and pushed down to the client.  Unsigned code can be restricted from doing
absolutely anything to the client - access the filesystem, environmental
variables, whatever.
* Available built-in 40-bit port encryption between the server and the
client and native support for SSL makes attacks against the replicatino
protocol difficult.
* Thorough ACL support allows any database to be restricted only to
registered Notes users, who are authenticated via client certificate. The
maximum level of access an Web user is allowed to have can be specified
separately from the normal ACL, meaning that even authorized users can be
restricted from editing documents via the Web.

Like any program, Notes can be configured insecurely. But if you enforce a
client ECL that allows only code signed by the local certificate authority
to be executed by the client - if that - mail worm exploits become
virtually impossible.

Assuming that bugs in the client don't prevent that. :) The R5 client *is*
still quite buggy...

Connor Durflinger
Consultant / Trainer
Corning Data Services
607.797.0523

On Mon, Jun 26, 2000 at 09:23:53PM -0700, Blue Boar wrote:
> Someone had asked who uses the scripting features in e-mail clients.  If
> you count Notes, I've seen some fairly involved applications written in
> Notes.  An old employer of mine did their entire purchase order system
> in Notes.

Massive scripting combined with a very buggy client.  The features
that are /supposed/ to be there don't work reliably.  I can't imagine
they've done a good job with security.  The databases it uses to store
messages get corrupted regularly (mine just lost track of which of the
500 messages in my inbox had been read).

Don't forget that just about everything is also exposed through a web
interface - so you have an additional vector for doing bad things.
(Is it possible to create a message that appears substantially
different in the Notes client and via the web? Formatting changes.
Tables disappear.  Perhaps it would be possible to create messages
that read two different ways?)

Attacks on the replication facility would be interesting as well.
(This is a facility whereby a user can download a working copy of a
frequently used database to their local machine and then keep that
copy synchronized with the master - at the least creating
"interesting" things in the local copy would be fun.

Erik