Java and JavaScript holes found in IBM Notes

IBM Notes automatically allows the execution of Java applets and JavaScript contained in emails, leading to potential security issues, the company has confirmed.

Versions of the IBM Notes email and workgroup software package contains a security vulnerability that could allow an attacker to gain control of a victim's computer or install software without them noticing.

The problem affects versions 8.0.x, 8.5.x, and 9.0 of Notes, IBM confirmed on its security bulletin pages.

Notes , formerly Lotus Notes, unlike many other email systems allows Java applets and JavaScript tags inside emails which leaves it susceptible to the possibility that if someone opens an email containing malicious code it will automatically run.

IBM classified the problem with a CVSS score of 4.3 out of 10, meaning that it thinks it is critical.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Read More

It has issued interim fixes — Interim Fix 1 for Notes 8.5.3 Fix Pack 4 and Interim Fix 1 for Notes 9.0 — for the Windows versions of its software while it works on a permanent solution.

The interim measures negate the threat by disabling the ability to automatically run Java applets and JavaScript in emails, which will also stop custom apps that rely on Java applets or JavaScript from working.

IBM said a fix for Mac machines is also forthcoming.

Linux users are advised to "monitor fix availability in 8.5.3 Fix Pack 5 and 9.0.1" or to inquire about the possibility of obtaining a fix sooner by raising a support request ticket.

IBM also detailed a workaround for users that would rather not wait for a fix to be issued.

Show Comments