Technote Number: 1229918
Problem:
These issues were reported to IBM Lotus Quality Engineering as SPR# KEMG6FZR4Q,
KEMG6FZRJD, KEMG6F2RCN, KEMG6F3PBT, KEMG6F3NZD, KEMG6FYPF2 and have been fixed
in Notes 6.5.5 and Notes 7.0.1.
Refer to the Upgrade Central site for details on upgrading Notes/Domino to
these releases.
Workaround if 6.5.5/7.0.1 DLL's are available:
The buffer overflow vulnerabilities affect the following files: kvarcve.dll,
uudrdr.dll, tarrdr.dll and htmsr.dll. The directory traversal vulnerability
affects the kvarcve.dll file. These four dll files have been updated in the
fixed releases. If you cannot immediately upgrade the Notes client in your
environment, then it is possible to correct the issue by copying the revised
versions of these dll files from a 6.5.5 release over the versions found in
earlier 6.x releases, or from a 7.0.1 release over the versions found in a 7.0
release.
Workaround if 6.5.5/7.0.1 are not available:
To work around these issues in previous releases of Notes, the affected file
viewers can be disabled by either commenting out the relative dll's in the
keyview.ini file found in the program directory or by deleting the files from
the program directory.
There are four options for disabling these viewers:
1. Delete the keyview.ini file in the Notes program directory. This disables
ALL viewers. When a user clicks View (for any file), a dialog box will be
displayed with the message "Unable to locate the viewer configuration file."
2. Delete the problem files (kvarcve.dll, uudrdr.dll, htmsr.dll, tarrdr.dll).
When a user tries to view the specific file types (html pages, tar/uud/zip
archives), a dialog box will be displayed with the message "The viewer display
window could not be initialized." All other file types work without returning
the error message.
3. Comment out specific lines in keyview.ini for any references to the problem
files (dlls). To comment a line, you precede it with a semi-colon (;). When a
user tries to view the specific file types (html files, tar/uud/zip archives),
a dialog box will be displayed with the message "The viewer display window
could not be initialized."
For example:
[KVARCVE]
; 132=ziprdr.dll
; 194=tarrdr.dll
; 167=uudrdr.dll
[KVDOCVE]
...
;210=htmsr.dll
;251=htmsr.dll
Note: Sample LotusScript code that could be used in an agent to automate the
task of commenting the entries in the keyview.ini file is available. The code
is designed to remark out the relative dll file entries and affects only
vulnerable releases. This agent works on English Win32 Notes clients only. To
use this sample LotusScript code, do the following:
a. Save the attached LSS file locally.
b. Create a new agent. Set it to run LotusScript, namely, a LotusScript agent.
c. Set the agent's Runtime Target property to "None".
d. Give the agent a name.
e. From the menu select File -> Import, and specify the LSS file detached
above.
f. Answer "Yes to all" when prompted to replace the existing content in the
agent.
g. Save the agent and close it.
h. Run the agent on the Notes client you wish to update. The agent checks the
client version, gives you some background information, then asks if you wish to
continue. If you choose yes, then the DLLs are commented out in the keyview.ini
file. If you run the agent multiple times on the same client, it will not
"re-comment" the lines.
4. Set the ViewerConfigFile to an invalid file name using a policy. This can
be done by adding a field to your Desktop Settings policy with the name
$PrefViewerConfigFile and set it to an invalid file.
Note that if an administrator chooses to set the ViewerConfigFile to an invalid
file name, they will get the same result as Option1 above.
Results: When a user clicks View (for any file), a dialog box will be
displayed with the message "Unable to locate the viewer configuration file."
This disables ALL viewers.
General instructions on how to distribute notes.ini parameters via policies
have been published in the Domino 7 Administrator's Help Guide under the topic
"Using policies to assign NOTES.INI or Location document settings to Notes
client users."
To use a policy to assign a NOTES.INI value to Notes client users, use the
Domino Designer to add a new field to the Desktop Policy Settings document.
The new field must be named $PrefVariableName, where VariableName is the name
of the NOTES.INI variable you want to set. In the new field on the Desktop
Policy Settings document, enter the value you want assigned to that NOTES.INI
variable. That is the value that is set in the NOTES.INI for the assigned Notes
users.
To push a notes.ini parameter down via a Desktop policy, perform the following
steps:
From the Domino Designer, open the desktop policy settings document form.
Create a new field named $PrefViewerConfigFile.
Assign the default value to the field $PrefViewerConfigFile to an invalid file
name.
Save and exit.
Create a Desktop Settings document as you normally would.
Create a Policy document for your users and select the Desktop settings
document created in Step 5. Save and close the Policy document.
If you created an explicit policy, assign it to your users.
When the Notes clients authenticate with the server, the notes.ini parameter
should be pushed down. (Be aware that the Notes client dynamic configuration
(DCC) must run and it may take until the next day for this setting to take
effect).
Additional background:
In general, users are strongly urged to use caution when opening or viewing
unsolicited file attachments.
The attachments will not auto-execute upon opening or previewing the email
message; the file attachment must be opened by the user using one of the
affected file viewers (from the menu bar, select "Attachment", then select
"View"). In some cases, further user action is also required to trigger the
exploit.
SPR# KEMG6F2RCN affects the uudrdr.dll file and requires that the user view a
malicious UUE file.
SPR# KEMG6F3NZD affects the htmsr.dll file and requires that the user view a
malicious HTML file attachment. To reliably reproduce this issue requires that
the user's Windows account name be exactly 5 characters in length.
SPR# KEMG6F3PBT affects the htmsr.dll file and requires that the user view a
malicious HTML file attachment AND then the user has to click on a URL link
inside the file.
SPR# KEMG6FZR4HQ affects the kvarcve.dll file and requires that the user view a
malicious ZIP file attachment AND extract a file with an overly long filename
into a directory with a long file name. Note that when viewing the attachment
and before extracting the file, an error message will also display in the
viewer.
SPR# KEMG6FYPF2 affects the tarrdr.dll file and requires that the user view a
malicious TAR file attachment and then extract a file with an overly long
filename into a directory with a very long path.
SPR# KEMG6FZRJD affects the kvarcve.dll file and requires that the user view a
malicious ZIP, TAR or UUE file attachment AND clicks on a filename that
contains the name and the path of a file that exists on the user's system.
Note:
This affects the Notes client on Microsoft Windows operating systems only. The
Domino server is not affected by these issues. More >
|  |
|
|
|
|
|