Security flaw demonstrated in Notes

Lotus Notes' security has come under fire from experts who this week demonstrated how email accounts could easily be broken into.

The alleged problems were demonstrated at the most important hacker convention of the year, DefCon, which is being held in Las Vegas. Executives from two security companies - Security Design International and Trust Factory - demonstrated how crackers could break into a user's email box and send messages under that user's name.

Another flaw, relating to Domino server, was also demonstrated which the experts claimed could allow users to circumvent antivirus and malicious code defences.

Lotus said the first problem relied on crackers having access to a user's workstation and also relies on users having the same passwords for both Notes and Domino directory access.

The company said the most serious problem - that the encryption key used to unlock a user's Notes ID can be derived from the default format used to store the http password in the 'person document' in the Domino Directory - can easily be prevented and rests on access by a cracker to a workstation.

Fears about corruption by malicious code, raised because Notes does not issue additional warnings when ActiveX applets are launched under Internet Explorer, can also be addressed, Lotus said in a security notice.

However, it admitted: "When the default browser in Notes is configured to use 'Notes with Internet Explorer', it is subject to the types of attacks that can affect Internet Explorer as a standalone product. If the user ignores ActiveX warnings generated by Internet Explorer, the user may be vulnerable to malicious active content."

Lotus advises users "not to launch or run executable code or any kind from unknown/untrusted sources" and, as a precaution, to view instead of launch or detach attachments. Network administrators can upgrade to a stronger http password format using a tool introduced in R4.6.

Lotus said it has received no reports of attacks using the exploits.