NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Lotus Notes vulnerable to MS Windows graphics rendering engine bug
print the content item {PDF=create pdf file of the content item^plugin:content.25}
in General IT Security > Vulnerabilities


As originally discovered by John Herron at NIST.org (posted below) Lotus Notes is vulnerable to the WMF exploit.

IBM Has released a technical bulletin that points out that their Lotus Notes product is vulnerable to the WMF exploit as follows:

Lotus Notes accesses shimgvw.dll under the following circumstances:
  • When opening (launching) an image file attachment
  • When double clicking on (activating) an OLE object that uses the image viewer control
  • When the form is set to auto-launch first OLE object and the object uses the image control. In received emails, you have to say "Yes" to launch it before it will activate the object
  • When creating an OLE object that uses the image control
  • When browsing for a file in a folder (which is set to display thumbnails) that contains any image file



Update 3 Jan 2006: Further research is indicating that Lotus Notes code is probably not directly vulnerable. However, Lotus Notes uses Windows function calls for file browsing and when attaching or saving a file it's Windows that calls the vulnerable "shimgvw.dll" file. The Sysinternals Filemon program attributes calls to the shimgvw.dll to Lotus Notes even though it is not actually the nlnotes.exe calling the DLL directly as the screenshot indicates. Many applications call on Windows for file browsing, not just Lotus Notes. However this does not mean that all is well. If you use Windows XP it will create thumbnails of images when browsing folders through Notes and that's enough to trigger the exploit in an infected file. It's highly recommended that you install the unofficial Microsoft patch now, before its too late. See the following article for more information and a link to the patch (this patch is recommended by both SANS.org and NIST.org, as well as several antivirus companies).

Here is IBM's Technote on the matter.




----- Original posting
Lotus Notes uses the same vulnerable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments. Because of this, all Lotus Notes users are vulnerable to the WMF zero-day exploit. At this point there is little that can be done except block all incoming images at the perimeter.

Someone, or an email worm, simply needs to email a person a message with a graphics file attachment. It doesn't matter if the person Views or Opens (Runs) the attachment the shimgvw.dll will be used to render the image and the malicious file can compromise the computer.

To verify that Lotus Notes uses the vulnerable DLL file a program called FileMon was used:

Image: /nist_plugins/content/images/image/notes_using_shimgvw_dll.jpg

The following screenshot shows the attached image that was viewed above. Note that the WMF file had been renamed to have a .JPG extension. The image was still viewed as normal.
Image: /nist_plugins/content/images/image/Renamed_WMF_File.jpg

This vulnerabilty can be exploited by malicious people to compromise a vulnerable system. NOTE: Exploit code is publicly available. This is being exploited in the wild.

Lotus Notes vulnerability discovered by John Herron // NIST.org



Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-9905
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow r ...
»CVE-2016-10134
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to ...
»CVE-2016-10227
Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial o ...
»CVE-2016-1249
The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allo ...
»CVE-2016-4311
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5. ...
»CVE-2016-4312
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 befo ...
»CVE-2016-4314 (carbon)
Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote ...
»CVE-2016-4315 (carbon)
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hija ...
»CVE-2016-4316 (carbon)
Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to i ...
»CVE-2016-4327 (enablement_server_for_java)
Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
»CVE-2016-4613
An issue was discovered in certain Apple products. Safari before 10.0.1 is affected. iCloud before 6 ...
»CVE-2016-4617
An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involve ...
»CVE-2016-4660
An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 ...
»CVE-2016-4661
An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue invol ...
»CVE-2016-4662
An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue invol ...


Date published: 2017-02-21T15:00:01Z
Details

»OpenSSL Releases Security Update
Original release date: February 16, 2017 OpenSSL version 1.1.0e has been released to address ...
»Cisco Releases Security Update
Original release date: February 15, 2017 Cisco has released a security update to address a vu ...
»FBI Releases Article on Romance Scams
Original release date: February 14, 2017 The Federal Bureau of Investigation (FBI) has releas ...
»Adobe Releases Security Updates
Original release date: February 14, 2017 Adobe has released security updates to address vulne ...
»Apple Releases Security Update
Original release date: February 14, 2017 Apple has released a security updates to address a v ...
»Enhanced Analysis of GRIZZLY STEPPE
Original release date: February 10, 2017 The Department of Homeland Security (DHS) has releas ...
»ISC Releases Security Updates for BIND
Original release date: February 08, 2017 | Last revised: February 09, 2017 The Internet Syste ...
»Cisco Clock Signal Component Failure Advisory
Original release date: February 06, 2017 Cisco has released a hardware advisory for a clock s ...
»CERT/CC Reports a Microsoft SMB Vulnerability
Original release date: February 03, 2017 CERT Coordination Center (CERT/CC) has released info ...
»Cisco Releases Security Updates
Original release date: February 01, 2017 Cisco has released security updates to address a vul ...


Date published: not known
Details




Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» OpenSSL Releases Security Update
[16 Feb 2017 07:23pm]

» Cisco Releases Security Update
[15 Feb 2017 12:20pm]

» FBI Releases Article on Romance Scams
[14 Feb 2017 09:01pm]

» Adobe Releases Security Updates
[14 Feb 2017 08:57am]

» Apple Releases Security Update
[14 Feb 2017 06:25am]

» Enhanced Analysis of GRIZZLY STEPPE
[10 Feb 2017 07:24pm]

» ISC Releases Security Updates for BIND
[08 Feb 2017 05:29pm]

» Cisco Clock Signal Component Failure Advisory
[06 Feb 2017 04:40pm]

» CERT/CC Reports a Microsoft SMB Vulnerability
[03 Feb 2017 01:48am]

» Cisco Releases Security Updates
[01 Feb 2017 10:59am]

***
US-CERT Alerts

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

***
Computerworld Security

» Verizon knocks $350M from Yahoo deal after breaches
[21 Feb 2017 08:23am]

» True privacy online is not viable
[21 Feb 2017 04:00am]

» Hackers behind bank attack campaign use Russian decoy
[20 Feb 2017 08:00am]

» Uber to investigate female engineer’s ‘abhorrent’ sexual harassment claims
[20 Feb 2017 06:51am]

» RSA demo: TruStar anonymizes incident data to improve information exchange
[17 Feb 2017 04:50pm]

» Why robotics is key to cybersecurity's future
[17 Feb 2017 04:46pm]

» Here’s how the U.S. government can bolster cybersecurity
[17 Feb 2017 02:53pm]

» IDG Contributor Network: Why February's Patch Tuesday is delayed
[17 Feb 2017 10:52am]

» Insecure Android apps put connected cars at risk
[17 Feb 2017 10:08am]

» Tips for negotiating with cyber extortionists
[17 Feb 2017 05:51am]

» Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert
[16 Feb 2017 08:45pm]

» Experts at RSA offer up their best cybersecurity advice
[16 Feb 2017 05:34pm]

» Why (or where) many security programs fail
[16 Feb 2017 02:36pm]

» Israeli soldiers hit by Android malware from cyberespionage group
[16 Feb 2017 01:45pm]

» How the Cyber Threat Alliance works to fight cybercrime
[16 Feb 2017 12:29pm]

***
Microsoft Security Advisories

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 11:00am]

***
WIRED

» An Arms Dealer Says Life Under Trump Is a ‘Win-Win’
[20 Feb 2017 05:00am]

» Smart City Tech Would Make Military Bases Safer
[19 Feb 2017 07:30am]

» The Former Secretary of Defense Outlines the Future of Warfare
[19 Feb 2017 05:00am]

» Security News This Week: Yahoo Got Hacked Again. No, Seriously
[18 Feb 2017 08:00am]

» Finding the Right National Security Adviser Won’t Be Easy
[17 Feb 2017 04:46pm]

» Android Phone Hacks Could Unlock Millions of Cars
[16 Feb 2017 03:30pm]

» Leaks Are Totally American—They’re Just Easier Now
[16 Feb 2017 12:17pm]

» Encryption Apps Help White House Staffers Leak—and Maybe Break the Law
[15 Feb 2017 10:43am]

» A Chip Flaw Strips Away Hacking Protections for Millions of Devices
[14 Feb 2017 05:30pm]

» The Best Encrypted Chat App Now Does Video Calls Too
[14 Feb 2017 11:55am]

***
Network World Security

» New York State Cybersecurity Rules and the Skills Shortage
[21 Feb 2017 08:55am]

» EFF: Congress is considering making it illegal to protect consumer privacy online
[21 Feb 2017 08:36am]

» IDG Contributor Network: Breaking through the cybersecurity bubble
[21 Feb 2017 08:15am]

» We finally know how much a data breach can cost
[21 Feb 2017 07:54am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» Face-off: Oracle vs. CA for identity management
[26 Jan 2017 10:30am]

» 6 steps to secure a home security camera
[23 Jan 2017 04:00am]

» REVIEW: Home security cameras fall short on security
[23 Jan 2017 04:00am]

» Review: Microsoft Windows Defender comes up short
[03 Jan 2017 10:48am]

» Inside 3 top threat hunting tools
[19 Dec 2016 04:00am]

» Review: Threat hunting turns the tables on attackers
[19 Dec 2016 04:00am]

» New York State Cybersecurity Rules and the Skills Shortage
[21 Feb 2017 08:55am]

» IDG Contributor Network: Breaking through the cybersecurity bubble
[21 Feb 2017 08:15am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}