If you haven't already killed Lotus Notes, IBM just gave you the perfect reason to do it now, fast

Also: Big Blue's Meltdown, Spectre status updated, and a mystery bug in AIX

IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.

In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory.”

Compromising an auto-updater is serious business: users trust them to bring in safe code, in this case new versions of Notes. Flaws in such a service are therefore extraordinarily dangerous.

The bug, CVE-2017-1711, affects versions in the Notes 8.5 and 9.0 branches.

It's one of two turned up by Danish infosec company Improsec, which has made its disclosures here (you'll need Google translate).

Author Lasse Trolle Borup explains “the service simply copies itself to the TEMP directory and executes the copy, probably for when the update service must update its own executable. The problem here is, that though normal users are not allowed to list the contents of TEMP, they can still write files there.

“By executing a file from an uncontrolled location, the service is exposing itself to DLL Search Order Hijacking”, Borup continued.

All that's needed to reproduce the bug, Borup wrote, is to compile his proof-of-concept code and give it a static link as MSIMG32.dll; copy that file to C:\windows\temp; and run sc control lnsusvc 136 at the command line.

IBM made a second disclosure about the same bug here, since it also affects IBM Client Application Access.

Spectre and Meltdown POWERed down, and an AIX fix

Big Blue had a busy week last week, and on Saturday also updated security folk about its Meltdown/Spectre status here.

It has now issued firmware patches for its POWER7 through to POWER9 platforms here (older chips are out-of-service), IBM i operating system patches are here, and AIX patches here.

POWER-series users running Linux will get their patches from the distribution they use.

In a separate issue, AIX and VIOS also needed patching against CVE-2018-1383, which the company describes as “An unspecified vulnerability in AIX [which] could allow a user with root privileges on one system, to obtain root access on another machine.” ®

Similar topics

Narrower topics

Other stories you might like

  • IBM finally shutters Russian operations, lays off staff
    Axing workers under 40 must feel like a novel concept for Big Blue

    After freezing operations in Russia earlier this year, IBM has told employees it is ending all work in the country and has begun laying off staff. 

    A letter obtained by Reuters sent by IBM CEO Arvind Krishna to staff cites sanctions as one of the prime reasons for the decision to exit Russia. 

    "As the consequences of the war continue to mount and uncertainty about its long-term ramifications grows, we have now made the decision to carry out an orderly wind-down of IBM's business in Russia," Krishna said. 

    Continue reading
  • IBM AI boat to commemorate historic US Mayflower voyage finally lands… in Canada
    Nearly two years late and in the wrong country, we welcome our robot overlords

    IBM's self-sailing Mayflower Autonomous Ship (MAS) has finally crossed the Atlantic albeit more than a year and a half later than planned. Still, congratulations to the team.

    That said, MAS missed its target. Instead of arriving in Massachusetts – the US state home to Plymouth Rock where the 17th-century Mayflower landed – the latest in a long list of technical difficulties forced MAS to limp to Halifax in Nova Scotia, Canada. The 2,700-mile (4,400km) journey from Plymouth, UK, came to an end on Sunday.

    The 50ft (15m) trimaran is powered by solar energy, with diesel backup, and said to be able to reach a speed of 10 knots (18.5km/h or 11.5mph) using electric motors. This computer-controlled ship is steered by software that takes data in real time from six cameras and 50 sensors. This application was trained using IBM's PowerAI Vision technology and Power servers, we're told.

    Continue reading
  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading

Biting the hand that feeds IT © 1998–2022