Java applets may fully compromise Notes users with just one click from cyber-criminals sending them through HTML e-mails, according to an IBM security advisory. The vulnerabilities affect 8.0.x, 8.5.x, and the new Notes 9 versions, but the company promises to soon fix the problems.
“This would allow attackers to compromise users reading/previewing an email” through “arbitrary code executions,” IBM says.
Full Disclosure researchers also said this can be used to load arbitrary Java applets from remote sources, for information disclosure. The attack may also be used to trigger an HTTP request once the mail is previewed or opened.
“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” researchers said.
Users can work around the issues by disabling their Java applets, Java access from JavaScript, and JavaScript from their Notes preferences. They can also set the “0” variable in the notes.ini file for the “EnableJavaApplets”, “EnableLiveConnect”, and “EnableJavaScript” options.
The IBM Notes mail client accepts Java applet tags and JavaScript tags inside HTML emails, making it possible to load applets and scripts from a remote location.
tags
Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story.
View all postsNovember 14, 2024
September 06, 2024