Java applets may fully compromise Notes users with just one click from cyber-criminals sending them through HTML e-mails, according to an IBM security advisory. The vulnerabilities affect 8.0.x, 8.5.x, and the new Notes 9 versions, but the company promises to soon fix the problems.
Full Disclosure researchers also said this can be used to load arbitrary Java applets from remote sources, for information disclosure. The attack may also be used to trigger an HTTP request once the mail is previewed or opened.
“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” researchers said.