Industry News

Java Applets May Fully Compromise Notes Users

Java applets may fully compromise Notes users with just one click from cyber-criminals sending them through HTML e-mails, according to an IBM security advisory. The vulnerabilities affect 8.0.x, 8.5.x, and the new Notes 9 versions, but the company promises to soon fix the problems.

Java Applets May Fully Compromise Notes Users “This would allow attackers to compromise users reading/previewing an email” through “arbitrary code executions,” IBM says.

Full Disclosure researchers also said this can be used to load arbitrary Java applets from remote sources, for information disclosure. The attack may also be used to trigger an HTTP request once the mail is previewed or opened.

“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” researchers said.

Users can work around the issues by disabling their Java applets, Java access from JavaScript, and JavaScript from their Notes preferences. They can also set the “0” variable in the notes.ini file for the “EnableJavaApplets”, ”EnableLiveConnect”, and “EnableJavaScript” options.

The IBM Notes mail client accepts Java applet tags and JavaScript tags inside HTML emails, making it possible to load applets and scripts from a remote location.


About the author


Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.