|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
|
| |
Vulnerable Systems:
* Lotus Notes 8
This vulnerability exists within the "wp6sr.dll" which implements the processing of Word Perfect Documents. When processing certain records, data is copied from the file into a fixed-size stack buffer without ensuring that enough space is available. By overflowing the buffer, an attacker can overwrite control flow structures stored on the stack.
Analysis:
Exploitation allows attackers to execute arbitrary code with the privileges of the user. In order to exploit this vulnerability, an attacker must cause a specially crafted Word Perfect Document to be processed by an application using the Autonmoy KeyView SDK.
In cases such as Lotus Notes, this requires that an attacker convince a user to view an e-mail attachment. However, in other cases processing may take place automatically as a document is examined.
Workaround:
For Lotus Notes, it is possible to disable the processing of WPD files by removing, or commenting out, the line referencing "wp6sr.dll" from the "KeyView.ini" file within the Lotus Notes program directory. Deleting "wp6sr.dll" from the affected system will also prevent exploitation.
For Symantec Mail Security, disabling "content filtering" will prevent exploitation.
Additional workarounds are available from the individual vendors' advisories referenced below.
Vendor response:
IBM Support has released workarounds and a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21377573
Symantec has released patches which addresses this issue. For more information, consult their advisory at the following URL:
http://www.symantec.com/avcenter/security/Content/2009.03.17a.html
Autonomy has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
https://customers.autonomy.com/support/secure/docs/Updates/Keyview/Filter%20SDK/10.4/kv_update_nti40_10.4.zip.readme.html
CVE Information:
CVE-2008-4564
Disclosure Timeline:
11/24/2008 to Autonomy - 1st notice
12/04/2008 From Autonomy - 1st response
12/04/2008 to Autonomy - 2nd notice
12/05/2008 From Autonomy - PoC Request
12/08/2008 to Autonomy - PoC sent
12/09/2008 From Autonomy - PoC Resend Request
12/09/2008 to Autonomy - PoC Resend sent
12/11/2008 From Autonomy - PoC Clarification Request
12/11/2008 to Autonomy - PoC Clarification reply
01/14/2009 From Autonomy - Reset tentative disclosure / patch date
01/14/2009 From Symantec - 1st response
01/14/2009 to IBM & Symantec - 1st notice
01/19/2009 From IBM - 1st response & PoC Request
01/21/2009 From Autonomy - New proposed tentative disclosure date - End of February 2009
01/21/2009 From Symantec - Proposed tentative disclosure date - February 24, 2009
01/30/2009 Multiple vendor coordination status sent
01/30/2009 to IBM - PoC resent
02/05/2009 From IBM - clarification request
02/12/2009 From IBM - clarification request
02/13/2009 to IBM - clarification response
02/18/2009 From IBM - requests PoC clarification
02/19/2009 to IBM - PoC clarification sent
02/23/2009 From Symantec - cross-vendor status request
02/23/2009 to Symantec - cross-vendor status sent
02/27/2009 From IBM - progress report received
02/27/2009 From Symantec - cross-vendor status request
03/02/2009 From IBM - vulnerability confirmed, patch ready
03/10/2009 All vendors agree on March 17, 2009
03/10/2009 From IBM - Proposed tentative date be a Tuesday or Wednesday
03/10/2009 From Symantec - cross-vendor status request
03/10/2009 From Symantec - cross-vendor status request
03/10/2009 Multiple vendor coordination status sent - proposed March 17, 2009 release
03/10/2009 To Symantec - status report sent
03/17/2009 Coordinated Public Disclosure
|
|
|
|
|
