NIST IT Security: Printer Friendly

Lotus Notes vulnerable to MS Windows graphics rendering engine bug

NIST.org, Monday 02 January 2006 - 22:00:00

As originally discovered by John Herron at NIST.org (posted below) Lotus Notes is vulnerable to the WMF exploit.

IBM Has released a technical bulletin that points out that their Lotus Notes product is vulnerable to the WMF exploit as follows:

Lotus Notes accesses shimgvw.dll under the following circumstances:

When opening (launching) an image file attachment
When double clicking on (activating) an OLE object that uses the image viewer control
When the form is set to auto-launch first OLE object and the object uses the image control. In received emails, you have to say "Yes" to launch it before it will activate the object
When creating an OLE object that uses the image control
When browsing for a file in a folder (which is set to display thumbnails) that contains any image file

Update 3 Jan 2006: Further research is indicating that Lotus Notes code is probably not directly vulnerable. However, Lotus Notes uses Windows function calls for file browsing and when attaching or saving a file it's Windows that calls the vulnerable "shimgvw.dll" file. The Sysinternals Filemon program attributes calls to the shimgvw.dll to Lotus Notes even though it is not actually the nlnotes.exe calling the DLL directly as the screenshot indicates. Many applications call on Windows for file browsing, not just Lotus Notes. However this does not mean that all is well. If you use Windows XP it will create thumbnails of images when browsing folders through Notes and that's enough to trigger the exploit in an infected file. It's highly recommended that you install the unofficial Microsoft patch now, before its too late. See the following article for more information and a link to the patch (this patch is recommended by both SANS.org and NIST.org, as well as several antivirus companies).

Here is IBM's Technote on the matter.

----- Original posting
Lotus Notes uses the same vulnerable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments. Because of this, all Lotus Notes users are vulnerable to the WMF zero-day exploit. At this point there is little that can be done except block all incoming images at the perimeter.

Someone, or an email worm, simply needs to email a person a message with a graphics file attachment. It doesn't matter if the person Views or Opens (Runs) the attachment the shimgvw.dll will be used to render the image and the malicious file can compromise the computer.

To verify that Lotus Notes uses the vulnerable DLL file a program called FileMon was used:

The following screenshot shows the attached image that was viewed above. Note that the WMF file had been renamed to have a .JPG extension. The image was still viewed as normal.

This vulnerabilty can be exploited by malicious people to compromise a vulnerable system. NOTE: Exploit code is publicly available. This is being exploited in the wild.

Lotus Notes vulnerability discovered by John Herron // NIST.org

this content item is from NIST IT Security
( http://www.nist.org/nist_plugins/content/content.php?content.25 )