The problem allows an attacker to obtain login details remotely, according to Jeff Truedson, network security manager for lighting manufacturer Hubbell. "A GroupWise user could have someone accessing their e-mail, they would never even know it," he wrote in an e-mail publicly disclosing the vulnerability.
Truedson said he published details about the flaw after giving Novell almost three months to fix the issue. The problem affects versions 5.5, 6.5.2 and 6.0 of GroupWise on the Microsoft Windows platform.
According to Truedson, the vendor released a test version of a patch early in June with the aim of fixing the problem. ZDNet Australia  understands Novell subsequently acknowledged the patch was not effective. Truedson said he had not heard from the vendor for one month after that date.
A Novell spokesperson was not available to comment on the issue. The company's GroupWise worldwide support division is understood to be responsible for providing a fix.