NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Lotus Notes vulnerable to MS Windows graphics rendering engine bug
print the content item {PDF=create pdf file of the content item^plugin:content.25}
in General IT Security > Vulnerabilities


As originally discovered by John Herron at NIST.org (posted below) Lotus Notes is vulnerable to the WMF exploit.

IBM Has released a technical bulletin that points out that their Lotus Notes product is vulnerable to the WMF exploit as follows:

Lotus Notes accesses shimgvw.dll under the following circumstances:
  • When opening (launching) an image file attachment
  • When double clicking on (activating) an OLE object that uses the image viewer control
  • When the form is set to auto-launch first OLE object and the object uses the image control. In received emails, you have to say "Yes" to launch it before it will activate the object
  • When creating an OLE object that uses the image control
  • When browsing for a file in a folder (which is set to display thumbnails) that contains any image file



Update 3 Jan 2006: Further research is indicating that Lotus Notes code is probably not directly vulnerable. However, Lotus Notes uses Windows function calls for file browsing and when attaching or saving a file it's Windows that calls the vulnerable "shimgvw.dll" file. The Sysinternals Filemon program attributes calls to the shimgvw.dll to Lotus Notes even though it is not actually the nlnotes.exe calling the DLL directly as the screenshot indicates. Many applications call on Windows for file browsing, not just Lotus Notes. However this does not mean that all is well. If you use Windows XP it will create thumbnails of images when browsing folders through Notes and that's enough to trigger the exploit in an infected file. It's highly recommended that you install the unofficial Microsoft patch now, before its too late. See the following article for more information and a link to the patch (this patch is recommended by both SANS.org and NIST.org, as well as several antivirus companies).

Here is IBM's Technote on the matter.




----- Original posting
Lotus Notes uses the same vulnerable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments. Because of this, all Lotus Notes users are vulnerable to the WMF zero-day exploit. At this point there is little that can be done except block all incoming images at the perimeter.

Someone, or an email worm, simply needs to email a person a message with a graphics file attachment. It doesn't matter if the person Views or Opens (Runs) the attachment the shimgvw.dll will be used to render the image and the malicious file can compromise the computer.

To verify that Lotus Notes uses the vulnerable DLL file a program called FileMon was used:

Image: /nist_plugins/content/images/image/notes_using_shimgvw_dll.jpg

The following screenshot shows the attached image that was viewed above. Note that the WMF file had been renamed to have a .JPG extension. The image was still viewed as normal.
Image: /nist_plugins/content/images/image/Renamed_WMF_File.jpg

This vulnerabilty can be exploited by malicious people to compromise a vulnerable system. NOTE: Exploit code is publicly available. This is being exploited in the wild.

Lotus Notes vulnerability discovered by John Herron // NIST.org



Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Google Ads




Headlines

»NCCoE Speaker Series March 2015
»New NIST Tools to Help Boost Wireless Channel Frequencies and Capacity
»NIST Announces Pilot Grants Competition to Improve Security and Privacy of Online Identity Verification Systems
»Vendors Sought to Develop Model System to Monitor Security of Energy Industry Networked Control Systems
»NIST Releases Update of Industrial Control Systems Security Guide for Final Public Review
»Cybersecurity Summit Technical Workshop
»NIST Forensic Science Standards Committees to Hold First Public Meetings in February 2015
»NIST Security Guide Walks Organizations Through the Mobile App Security Vetting Process
»Open-Source Software for Quantum Information
»NIST Requests Round Two Comments on its Cryptographic Standards Process
»Symposium to Focus on Future of Voting Systems
»NIST Meeting: Cybersecurity Is a Key Ingredient In the Manufacturing Mix
»Future of Voting Systems Symposium II
»Global City Teams Challenge Tech Jam
»NIST Announces Initial Members of Forensic Science Digital Evidence Subcommittee


Date published: not known
Details

»Guidance for Defending Against Destructive Malware
Original release date: March 03, 2015 The Information Assurance Directorate of the National S ...
»FTC Details the Top 10 Imposter Scams of 2014
Original release date: March 02, 2015 The Federal Trade Commission (FTC) has released an advi ...
»Cisco IPv6 Denial of Service Vulnerability
Original release date: February 25, 2015 Cisco has identified a vulnerability that could allo ...
»Samba Remote Code Execution Vulnerability
Original release date: February 24, 2015 Linux and Unix based operating systems employing Sam ...
»Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
Original release date: February 24, 2015 The Mozilla Foundation has released security updates ...
»Lenovo Computers Vulnerable to HTTPS Spoofing
Original release date: February 20, 2015 Lenovo consumer personal computers employing the pre ...
»IRS Issues Warning for a Scam Targeting Tax Preparers
Original release date: February 18, 2015 The Internal Revenue Service (IRS) has issued a pres ...
»ISC Releases Security Updates for BIND
Original release date: February 18, 2015 The Internet Systems Consortium (ISC) has released s ...
»Microsoft Releases February 2015 Security Bulletin
Original release date: February 10, 2015 Microsoft has released updates to address vulnerabil ...
»Microsoft Releases Critical Security Update for Internet Explorer
Original release date: February 10, 2015 Microsoft has released a critical security update to ...


Date published: not known
Details

»Paper: Script in a lossy stream
Dénes Óvári explains how to store code in lossily compressed JPEG data. Malformed PDF ...
»TorrentLocker spam has DMARC enabled
Use of email authentication technique unlikely to bring any advantage. Last week, Trend Micro resear ...
»VB2014 paper: Caphaw - the advanced persistent pluginer
Micky Pun and Neo Tan analyse the banking trojan that is best known for spreading through Skype. Sin ...
»M3AAWG releases BCP document on dealing with child sexual abuse material
Subject may make many feel uncomfortable, but it is essential that we know how to deal with it. The ...
»Hacker group takes over Lenovo's DNS
As emails were sent to wrong servers, DNSSEC might be worth looking into. Although, after some initi ...
»Coordinated action takes down Ramnit botnet infrastructure
Malware remains present on infected machines; 2012 Virus Bulletin paper worth studying. A coordinate ...
»Almost 50% increase in reported vulnerabilities as non-Windows operating systems lead the table
Each discovered vulnerability is actually a good news story. Last week, security firm GFI published ...
»Vawtrak trojan spread through malicious Office macros
Users easily tricked, but plenty of opportunity for the malware to be blocked. Researchers at Trend ...
»Lenovo laptops pre-installed with software that adds its own root CA certificate
Shared root certificate makes for easy man-in-the-middle attacks. What is Superfish? Superfish is a ...


Date published: not known
Details

»Enterprises Thirsting For Third-Party Threat Data
New report shows enterprises more heavily weighing risks of data loss and cyber attacks in evaluatio ...
»Breach Victims Three Times Likelier To Be Identity Theft Victims
Twenty-eight percent of them say they later avoided the merchants that failed to protect their perso ...
»FREAK Out: Yet Another New SSL/TLS Bug Found
Old-school, export-grade crypto standard used until the 1990s can be triggered to downgrade security ...
»Compliance & Security: A Race To The Bottom?
Compliance is meaningless if organizations don't use it as a starting point to understand and mitiga ...
»What You Need To Know About Nation-State Hacked Hard Drives
The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, ...
»Uber Takes Over 5 Months To Issue Breach Notification
50,000 Uber drives just being told now that their names and license numbers were exposed.
»5 Signs That The Firewall's Not Dead Yet
Demise of firewall is a long way off, according to recent survey results.
»No Silver Bullets for Security
A quick-fix security solution for cyberphysical systems doesn't exist.
»Why Security Awareness Alone Won't Stop Hackers
End-user training is a noble pursuit but it's no defense against "low and slow" attacks that take mo ...


Date published: Wed, 04 Mar 2015 01:13:49 EST
Details
Main Menu
· Home
Current Security News
 
SANS Internet Storm Center, InfoCON: green

» Infocon: green

» Freak Attack - Surprised? No. Worried? A little. , (Wed, Mar 4th)
[03 Mar 2015 09:06pm]

» ISC StormCast for Wednesday, March 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4381, (Wed, Mar 4th)
[03 Mar 2015 08:52pm]

» An Example of Evolving Obfuscation, (Tue, Mar 3rd)
[03 Mar 2015 09:42am]

» ISC StormCast for Tuesday, March 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4379, (Tue, Mar 3rd)
[02 Mar 2015 07:24pm]

» How Do You Control the Internet of Things Inside Your Network?, (Mon, Mar 2nd)
[02 Mar 2015 10:21am]

» ISC StormCast for Monday, March 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4377, (Mon, Mar 2nd)
[01 Mar 2015 06:57pm]

» Advisory: Seagate NAS Remote Code Execution, (Sun, Mar 1st)
[01 Mar 2015 09:14am]

» Let's Encrypt!, (Fri, Feb 27th)
[27 Feb 2015 08:34pm]

» DDOS are way down? Why?, (Fri, Feb 27th)
[27 Feb 2015 01:04pm]

» Leonard Nimoy has passed - please be alert for the rounds of Phishing and malware that will inevitably occur!, (Fri, Feb 27th)
[27 Feb 2015 11:23am]

***
CNET News.com

» Microsoft defends opening Hotmail account of blogger in espionage case
[20 Mar 2014 06:47pm]

» Syria's Internet goes dark for several hours
[20 Mar 2014 04:25pm]

» Symantec fires CEO Steve Bennett
[20 Mar 2014 03:07pm]

» Microsoft sniffed blogger's Hotmail account to trace leak
[20 Mar 2014 01:28pm]

» Microsoft sniffed private Hotmail account to trace trade secret leak
[20 Mar 2014 01:28pm]

» IBM's new services zero in on fraud, financial crime
[20 Mar 2014 07:31am]

» Despite assault on privacy, Page sees value in online openness
[19 Mar 2014 08:00pm]

» Hackers transform EA Web page into Apple ID phishing scheme
[19 Mar 2014 05:21pm]

» NSA top lawyer says tech giants knew about data collection
[19 Mar 2014 02:57pm]

» Microsoft touts study showing the cost of pirated software
[19 Mar 2014 06:55am]

» Microsoft touts study showing cost of malware in pirated software
[19 Mar 2014 06:55am]

» How to spy on your lover, the smartphone way
[18 Mar 2014 01:24pm]

» Mt. Gox update lets users see their Bitcoin balances
[18 Mar 2014 06:38am]

» Fake Malaysia Airlines links spread malware
[17 Mar 2014 05:12pm]

» IBM: No, we did not help NSA spy on customers
[17 Mar 2014 01:15pm]

***

***



***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}