Java Applets May Fully Compromise Notes Users

Java applets may fully compromise Notes users with just one click from cyber-criminals sending them through HTML e-mails, according to an IBM security advisory. The vulnerabilities affect 8.0.x, 8.5.x, and the new Notes 9 versions, but the company promises to soon fix the problems.

“This would allow attackers to compromise users reading/previewing an email” through “arbitrary code executions,” IBM says.

Full Disclosure researchers also said this can be used to load arbitrary Java applets from remote sources, for information disclosure. The attack may also be used to trigger an HTTP request once the mail is previewed or opened.

“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” researchers said.

Users can work around the issues by disabling their Java applets, Java access from JavaScript, and JavaScript from their Notes preferences. They can also set the “0” variable in the notes.ini file for the “EnableJavaApplets”, “EnableLiveConnect”, and “EnableJavaScript” options.

The IBM Notes mail client accepts Java applet tags and JavaScript tags inside HTML emails, making it possible to load applets and scripts from a remote location.