NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Lotus Notes vulnerable to MS Windows graphics rendering engine bug
print the content item {PDF=create pdf file of the content item^plugin:content.25}
in General IT Security > Vulnerabilities


As originally discovered by John Herron at NIST.org (posted below) Lotus Notes is vulnerable to the WMF exploit.

IBM Has released a technical bulletin that points out that their Lotus Notes product is vulnerable to the WMF exploit as follows:

Lotus Notes accesses shimgvw.dll under the following circumstances:
  • When opening (launching) an image file attachment
  • When double clicking on (activating) an OLE object that uses the image viewer control
  • When the form is set to auto-launch first OLE object and the object uses the image control. In received emails, you have to say "Yes" to launch it before it will activate the object
  • When creating an OLE object that uses the image control
  • When browsing for a file in a folder (which is set to display thumbnails) that contains any image file



Update 3 Jan 2006: Further research is indicating that Lotus Notes code is probably not directly vulnerable. However, Lotus Notes uses Windows function calls for file browsing and when attaching or saving a file it's Windows that calls the vulnerable "shimgvw.dll" file. The Sysinternals Filemon program attributes calls to the shimgvw.dll to Lotus Notes even though it is not actually the nlnotes.exe calling the DLL directly as the screenshot indicates. Many applications call on Windows for file browsing, not just Lotus Notes. However this does not mean that all is well. If you use Windows XP it will create thumbnails of images when browsing folders through Notes and that's enough to trigger the exploit in an infected file. It's highly recommended that you install the unofficial Microsoft patch now, before its too late. See the following article for more information and a link to the patch (this patch is recommended by both SANS.org and NIST.org, as well as several antivirus companies).

Here is IBM's Technote on the matter.




----- Original posting
Lotus Notes uses the same vulnerable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments. Because of this, all Lotus Notes users are vulnerable to the WMF zero-day exploit. At this point there is little that can be done except block all incoming images at the perimeter.

Someone, or an email worm, simply needs to email a person a message with a graphics file attachment. It doesn't matter if the person Views or Opens (Runs) the attachment the shimgvw.dll will be used to render the image and the malicious file can compromise the computer.

To verify that Lotus Notes uses the vulnerable DLL file a program called FileMon was used:

Image: /nist_plugins/content/images/image/notes_using_shimgvw_dll.jpg

The following screenshot shows the attached image that was viewed above. Note that the WMF file had been renamed to have a .JPG extension. The image was still viewed as normal.
Image: /nist_plugins/content/images/image/Renamed_WMF_File.jpg

This vulnerabilty can be exploited by malicious people to compromise a vulnerable system. NOTE: Exploit code is publicly available. This is being exploited in the wild.

Lotus Notes vulnerability discovered by John Herron // NIST.org



Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Latest NIST.org news and comments
Google Ads




Curl error: 7, couldn't connect to host
Headlines

»NIST Publishes Draft Cloud Computing Security Document for Comment
»First Observation of Spin Hall Effect in a Quantum Gas Is Step Toward Atomtronics
»Forensic Database Trace Evidence Table
»Forensic Database Environmental Table
»NIST Posts Initial Analysis of RFI Comments on Cybersecurity Framework for Critical Infrastructure
»NIST Issues Major Revision of Core Computer Security Guide: SP 800-53
»Second Cybersecurity Infrastructure Framework Workshop Gathers May 29-31, 2013
»NIST Announces Plan to Sponsor First Cybersecurity FFRDC
»Eleven Companies Join as Partners in National Cybersecurity Center of Excellence
»Improving Critical Infrastructure Cybersecurity Workshop Video Available On Demand
»May Conference to Discuss Safeguarding Health Information Through HIPAA Security
»NIST to Host Symposium on Ontology Evaluation May 2-3
»Industry Partners Join the National Cybersecurity Center of Excellence
»Health IT Mobile Device Use Case Meeting
»NCCOE NCEP Signing Ceremony

Date published: not known
Details

»Oracle Java SE Critical Patch Update Announcement - June 2013
Original release date: June 18, 2013 Oracle has released a June 2013 Critical Patch Update fo ...
»Security Updates Available for Adobe Flash Player
Original release date: June 12, 2013 Adobe has released security updates for Adobe Flash Play ...
»Microsoft Releases June 2013 Security Bulletin
Original release date: June 11, 2013 Microsoft has released updates to address vulnerabilitie ...
»Apple Releases OS X 10.8.4 and Security Update 2013-002
Original release date: June 05, 2013 Apple has released OS X 10.8.4 and Security Update 2013-002 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, bypass security controls, or cause denial-of-service conditions. US-CERT encourages users and administrators to review Apple Security article HT5784 and apply any necessary updates to help mitigate these risks. This product is provided subject to this Notification and this Privacy & Use policy.
»Apple Releases Security Update for Safari on OS X
Original release date: June 05, 2013 Apple has released security updates for Safari 6.0.5 to ...
»Google Releases Google Chrome 27.0.1453.110
Original release date: June 05, 2013 Google has released Google Chrome 27.0.1453.110 for Wind ...
»Apple Releases Security Updates for Apple QuickTime 7.7.4
Original release date: May 28, 2013 Apple has released security updates for Apple QuickTime 7 ...
»Google Releases Google Chrome 27.0.1453.93
Original release date: May 22, 2013 Google has released Google Chrome 27.0.1453.93 for Window ...
»Adobe Releases Security Updates for Adobe Flash Player
Original release date: May 16, 2013 Adobe has released security updates for Adobe Flash Playe ...
»Security Updates Available for Adobe Reader and Acrobat
Original release date: May 16, 2013 Adobe has released security updates for Adobe Reader and ...

Date published: not known
Details

»U-243: libvirt virTypedParameterArrayClear() Memory Access Error Lets Remote Users Deny Service
libvirt virTypedParameterArrayClear() Memory Access Error Lets Remote Users Deny Service
»U-242: Linux Kernel Netlink SCM_CREDENTIALS Processing Flaw Lets Local Users Gain Elevated Privileges
Linux Kernel Netlink SCM_CREDENTIALS Processing Flaw Lets Local Users Gain Elevated Privileges
»U-241: Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code and Obtain Information
Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code and Obtain Information
»U-240: Apple Remote Desktop Encryption Failure Lets Remote Users Obtain Potentially Sensitive Information
Apple Remote Desktop Encryption Failure Lets Remote Users Obtain Potentially Sensitive Information
»U-239: Apple iPhone SMS Processing Flaw Lets Remote Users Spoof SMS Source Addresses
Apple iPhone SMS Processing Flaw Lets Remote Users Spoof SMS Source Addresses
»U-238: HP Service Manager Input Validation Flaw Permits Cross-Site Scripting Attacks
HP Service Manager Input Validation Flaw Permits Cross-Site Scripting Attacks
»U-237: Mozilla Firefox CVE-2012-1950 Address Bar URI Spoofing Vulnerability
Mozilla Firefox CVE-2012-1950 Address Bar URI Spoofing Vulnerability
»U-236: Microsoft JScript and VBScript Engine Integer Overflow Lets Remote Users Execute Arbitrary Code
Microsoft JScript and VBScript Engine Integer Overflow Lets Remote Users Execute Arbitrary Code
»U-235: Microsoft Security Bulletin Advance Notification for August 2012
Microsoft Security Bulletin Advance Notification for August 2012
»U-234: Oracle MySQL User Login Security Bypass Vulnerability
Oracle MySQL User Login Security Bypass Vulnerability
»U-233: Oracle Database INDEXTYPE CTXSYS.CONTEXT Bug Lets Remote Authenticated Users Gain Elevated Privileges
Oracle Database INDEXTYPE CTXSYS.CONTEXT Bug Lets Remote Authenticated Users Gain Elevated Privileg ...
»U-232: Xen p2m_teardown() Bug Lets Local Guest OS Users Deny Service on the Host OS
Xen p2m_teardown() Bug Lets Local Guest OS Users Deny Service on the Host OS
»U-231: Cisco ASA SIP and WebVPN Bugs Let Remote Users Deny Service
Cisco ASA SIP and WebVPN Bugs Let Remote Users Deny Service
»U-230: Sudo on Red Hat Enterprise Linux %postun Symlink Flaw Lets Local Users Gain Elevated Privileges
Sudo on Red Hat Enterprise Linux %postun Symlink Flaw Lets Local Users Gain Elevated Privileges
»U-229: HP Network Node Manager i Input Validation Flaw Permits Cross-Site Scripting Attacks
HP Network Node Manager i Input Validation Flaw Permits Cross-Site Scripting Attacks

Date published: not known
Details

»Facebook temporarily blocks access from Tor
Malicious activity triggered automatic lockdown.
»AV Test releases Android test data
30 mobile solutions tested for malware protection and speed hit.
»Latest VBSpam tests show web host spam harder to block
Most filters see a small increase in their catch rates overall.
»AMTSO unveils product setup check tools
Set of checks can show if your security is properly configured and operational.
»June issue of VB published
The June issue of Virus Bulletin is now available for subscribers to download.
»US lifts ban on anti-virus software for Iran
Eased restrictions welcomed by security experts.
»Ruby on Rails vulnerability exploited in the wild
Code executed on web servers to cause them to join IRC botnet.
»Latest AV-Test results released
New round of figures compare products to Microsoft baselines.
»Symantec quietly retires PC Tools security product lines
Sales of Spyware Doctor and other security products end, support to continue for existing users.

Date published: not known
Details

»Why Are We So Slow To Detect Data Breaches?
Poor instrumenting of network sensors, bad SIEM tuning and lack of communication between security te ...
»Microsoft Establishes Rewards Programs for Windows 8.1, Internet Explorer 11 Preview Security Bugs
Microsoft is launching new programs to get its hands on cutting edge exploits developed by researche ...
»Security Needs More Designers, Not Architects
The better we design the user experience, the more we reduce our risk
»Survey: Customers Expect To Be Asked, Compensated For Use Of Personal Data
Consumers recognize value of personal info, expect "identity etiquette," survey says
»Beware Of HTML5 Development Risks
Local storage, native resource rights, and third-party code all add greater functionality and higher ...
»SearchYourCloud Broadens Security And Search Capability To Android And Google Drive
Android users can safely secure content in the cloud without worry over unintended access concerns
»Slide Show: 10 Ways Attackers Automate Malware Production
Peeking into an attacker's toolbox to see how malware production is automated and the Internet is fl ...
»Frost & Sullivan: Further Progress In M2M Toward Internet Of Things Requires A Focus On Security Risks
Strong focus on security necessary to drive continued M2M deployment in enterprises
»NTT To Acquire Solutionary, Add Cloud Security Services
Pure-play managed security services provider Solutionary will become part of NTT's cloud portfolio

Date published: not known
Details
Main Menu
· Home

NIST Security Books
NIST IT Security Books

Training / Books

»Security Certifications -
» CISSP, SSCP, Security+, etc.

»Computer Forensics

»Ethical Hacking

»Malware, Spyware, Viruses

»FISMA Compliance, Policies, etc

»PKI, Encryption, Smartcards

»Windows Security Guides

»HIPAA, SOX, CISP, etc.

NIST.org Security Bookstore
Current Security News
 
SANS Internet Storm Center, InfoCON: green

» Infocon: green

» HP iLO3/iLO4 Remote Unauthorized Access with Single-Sign-On, (Thu, Jun 20th)
[19 Jun 2013 07:39pm]

» ISC StormCast for Wednesday, June 19th 2013 http://isc.sans.edu/podcastdetail.html?id=3377, (Wed, Jun 19th)
[18 Jun 2013 09:46pm]

» WinLink Check-In, (Wed, Jun 19th)
[18 Jun 2013 09:16pm]

» Volatility rules...any questions?, (Tue, Jun 18th)
[18 Jun 2013 02:59pm]

» Java 7 update 25 released http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html, (Tue, Jun 18th)
[18 Jun 2013 02:54pm]

» EMET 4.0 is now available for download, (Tue, Jun 18th)
[18 Jun 2013 09:39am]

» ISC StormCast for Tuesday, June 18th 2013 http://isc.sans.edu/podcastdetail.html?id=3374, (Tue, Jun 18th)
[17 Jun 2013 09:59pm]

» Oracle Java pre-announcement: Upcoming JRE patch will plug 37 remotely exploitable holes. See http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html, (Mon, Jun 17th)
[17 Jun 2013 05:04am]

» ISC StormCast for Monday, June 17th 2013 http://isc.sans.edu/podcastdetail.html?id=3371, (Mon, Jun 17th)
[16 Jun 2013 10:27pm]

» SANSFIRE 2013, (Mon, Jun 17th)
[16 Jun 2013 08:40pm]
***
CNET News.com

» John McAfee's (insane, NSFW) tips for uninstalling McAfee
[19 Jun 2013 03:53pm]

» BlackBerry Z10 incurs 'critical' security warning
[18 Jun 2013 08:27am]

» North Korea calls U.S 'kingpin of human rights abuses' following NSA leaks
[18 Jun 2013 06:01am]

» Obama: NSA spying doesn't mean 'abandoning freedom'
[17 Jun 2013 06:37pm]

» School iris-scanned students without telling parents
[17 Jun 2013 04:48pm]

» Miss Alabama's beautiful confusion about NSA surveillance
[17 Jun 2013 10:06am]

» NSA leaked documents reveal U.S. spied on Russian president
[16 Jun 2013 06:51pm]

» Purdue students charged with switching prof's keyboard to improve grades
[15 Jun 2013 03:51pm]

» Verizon, T-Mobile foreign stakes make data collection harder
[14 Jun 2013 08:10am]

» Malware masquerading as Bad Piggies found on Google Play
[13 Jun 2013 08:05pm]

» Symantec axing as many as 1,700 jobs, says report
[13 Jun 2013 05:43pm]

» Accused robber wants NSA phone records to prove his innocence
[13 Jun 2013 01:11pm]

» Prosecutors team up to combat smartphone thefts
[13 Jun 2013 07:31am]

» NSA whistleblower: U.S has been hacking into China, Hong Kong
[13 Jun 2013 06:23am]

» Google uncovers phishing campaign targeting Iranians
[13 Jun 2013 12:49am]
***
Computerworld Security News

» Java 7 Update fixes 40 security issues, turns on certificate revocation check
[19 Jun 2013 06:35am]

» Apple pours OS X Snow Leopard another Java fix
[19 Jun 2013 04:41am]

» Microsoft, Samsung, HP join to stop Windows piracy
[19 Jun 2013 03:48am]

» Expanded '2-person rule' could help plug NSA leaks
[18 Jun 2013 01:54pm]

» U.S. officials claim surveillance programs helped stop 50 terrorist plots
[18 Jun 2013 11:21am]

» Source code for Carberp financial malware is for sale at bargain price
[18 Jun 2013 10:39am]

» More Security News
***


***


More IT Security
News Feeds
More Sponsors

Advertise on this site
NIST - Books You Need

NIST Bookstore
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}