Security researchers have discovered a rare, and potentially serious, security bug in Lotus Notes. A buffer overflow flaw in IBM's groupware package enables hackers to trick users into running hostile code on vulnerable systems. The security bug stems from boundary errors within the Lotus 1-2-3 file viewer (l123sr.dll) component …
I assume you mean 'rare' as in 'rare security bug of this severity'.
Lotus Notes is, for all of us poor users around the world, one enormous bug that happens to be able to send emails on the side. Sometimes.
As Lotus User...
I have to agree with Dan Skinner. Probably the worst piece of software ever written. To make it worse from a security aspect Lotus Notes 6.x requires local admin privliges on a Windows box. Ever tried to manage a network, from a security POV, where EVERYBODY has to have admin privliges in order to do daily task? *sigh*
I assume its rare
because even the security researchers don't want to use it
1. when was the last time you used notes?
2. what you just said about admin privilages is completely bogus. one of it's selling points is that it's isolated from the OS and simply hooks in.
Isn't Lotus Notes itself "hostile code on vulnerable systems"?
Indeed a Rare Bug
Lotus Notes has far less bugs than other packages (*cough* Microsoft *cough*), so yes it is a rare bug. As an avid Notes user for the past 16+ years I can attest to that. There have been about 4 such bugs which caused security breeches. But even this one has very minor effects. For one, any Domino Admin worth their Salt would have AV protection on the system. 123 files are also pretty uncommon these days with most people using the default M$ spreadsheet thing.
And to Dan who seems to think that Notes itself is a bug, I've lost count of the number of times that Notes has out performed other more common software packages. Just because you're incompetent enough to use it doesn't mean the rest of us are.
As a one-time Notes developer...
While I agree that the mail database is crap (or at least was - I'm still on the v5 version), the Notes environment is actually very very good at many things. Very quick development of applications that can automatically run online and offline, autosyncing etc. If you spend more time with it you can get it to do some amazing things. No it's not perfect, and I have spent many years cursing it out loud, but I still use it for certain types of apps where it's well suited. I've got a great wee home-grown bug tracking system running on it at the moment.
Er nope. No it doesn't. Runs fine without them. Just dandy. Automatically provisioned updates from the Domino server require Admin privileges for some releases, but from 7.0.2 onwards, that can be provisioned without the user having elevated rights as well.
Just updated our smart upgrade kits so tomorrow morning our users will get a nice automatic upgrade (I'm at GMT + 0800). They're almost all admins anyway, since they're constantly trying out new development tools.
Christo - stand up, your voice was muffled by your chair dear lad.
I've never seen an environment where administrator privileges are required to run Notes. It'll run quite happily with user privileges, unless you've mucked about with the Windows security.
That's based on 11 years experience with the product, running on every version of Windows except ME (did anyone use that?) and Vista, by the way.
Now, with Vista, you may have a point. The large number of security changes and the fact that Vista shipped late into Notes 6.5's lifecycle mean that it's not going to be supported by IBM. So that's hardly a fair point, but a valid one I suppose.
Vista is supported by Notes 7.0.2 and higher, including the newly released 8.0.
What I suspect you've done is installed Notes in single-user mode, where it will require administrative access to the data directory you selected when you installed it. (NOT to the whole machine.)
Users tend not to have those rights, and therefore you get errors.
That's very easy to fix, and frankly not exactly hard for a networking and security wizard like yourself to have determined with some simple testing. Or a search of the IBM knowledgebase. Both of which I'm sure you were too busy for.
Personally, I'd instead look at installing Notes in multi-user mode. Then it'll put a subset of the data directory into their Windows profile, bypassing the problem entirely.
Either way, good luck fixing it.
Hmm.... some cages rattled
I think it's worth making the distinction between the technical specifications of something like Notes and the actual user experience. I have no knowledge or interest in whether Notes has "out performed other more common software packages" - presumably from a technical point of view, though no actual information is given.
However, from the point of view of someone solely as an end-user, Notes is (in)famous as being about the worst piece of software ever developed. It looks and performs like a shareware beta from 1993. Which, as far as I can tell, is roughly when development ended on it. I've been using it for around 10 years and all the bugs I remember from the early days are still there, exactly as they were several versions ago.
I recently attended an international conference on global communication for my company and number one on the list of problems we face was actually Notes itself! Which is universally detested. Except by David Cotterill apparently :)
Pah Lotus Notes!
I consider myself more than literate with computer systems and last year when I started at a new company had Notes inflicted on me,
When you state that its miles better than Notes compared with other email packages I'd have to diagree. Now I can appreciate that the groupware stuff is useful to some extent but that can be easily replaced witih other packages that have more flexibility and greater control.
Finally the main grip I have are the inconsistencies that are prevalent in the Notes system we have. E.g. what kind of useless program will allow you to press <Ctrl> <A> then not allow you to unselect every email you've just slected in your inbox except by individually either selecting or running the mouse down the side! Or if you enter a specific view, and select a different heading to search by then when you come out of that view and come back its still wrong and cant be rectified without shutting down the Inbox window and re-opening it. Or not being able to select certain graphics that are embedded in emails as attachments to save them out.....
Maybe some of these issues have been improved in newwer versions but it still remains to be seen that they should have been picked up and fixed.
There we go again with Outlook
Frankly, for people to prefer Outlook over Notes just demonstrates how little they know about what they pretend to use.
Yes, Notes is a memory hog. That much is undeniable. And if all you do with it is mail, I do agree that you're better off without it. Blame your management for taking a 20-ton trailer to go shopping.
Lotus Notes is a very efficient development platform that can give extremely efficient applications and can ALSO do mail.
To use Notes ONLY for mail is a bad waste of resources, just as not training users for Notes is bound to bring about the Outlook comparisons and gripes.
For the rest, Outlook is so riddled with security holes and instability that frankly I wonder why the thing was ever accepted in companies in the first place.
The one mistake Notes persists in is not making its interface more Outlook-like. Maybe the fact that Microsoft is just begging for a chance to launch a thousand lawyers at it has something to do with this situation.
Those of you who yearn for Outlook, I truly do wish the best of luck in getting your dream come true. That'll be that much less "it's not like Outlook" complaints in Notes forums. Unfortunately, it'll probably be that much more spam boxes and DDOS launchers to be pwned as well.
And yes, I am a Notes developer, have been for twelve years. And yes, I do make a living out of it, much like a great number of Exchange specialists.
As for the worst piece of software ever written, I'd have to give that gong to IE, hands down.
I'm "forced" to use Lotus Notes, and it sucks big time. I agree with everything the previous poster says. As an e-mail client it is very very poor when compared with the useability of Outlook. Love the fact you have search and find functions which do different things. Limited right click functions. I could go on, but I'm away to check my POP mail with my Outlook client! lol
I served a five year Notus Lotes sentence and I didn't enjoy it. I concede it can do clever groupware stuff like sending emails that the recipient can't save or print, so that The Management can do underhand things without getting caught.
As a vanilla email client though, it utterly sucks.
Actually ALL IBM software sucks
I suffer ClearCase, ClearQuest, Rational Software Modeller / Architect (actually we abandoned them) and others.
One thing they all have in common is that they start with a great idea (often someone else's great idea in a company that IBM has bought), then they smother it with IBM lard and process so that the original smarts are swamped by layers of bloat and administrative incompetence.
Then because you are well and truly locked in, they sell you horrendously overpriced "maintenance" that doesn't actually do anything.
I was recently contacted by a tech support guy over a bug we filed more than 2 years ago, asking if they could take it off the database now because they weren't going to fix it.
The last decent thing they did was OS/2 and I really liked it, but that was 1993. Since then, as far as I can tell, they've survived largely on fat maintenance contracts and a stonking big patent portfolio.
Oh, there is Eclipse I suppose, but even that could do with a crash diet.
I wonder what other people think of IBM? Is it just me?
Reasons for hating Notes
1. Does not publish to ics--only exports as. No one at work can subscribe to my notes calendar using any application other than Notes.
2. Cannot subscribe to an ics file, can only import.
3. Cannot redirect mail, only forward
4. Memory hog. Even worse on OSX.
5. OSX versions released months/years after PC versions.
6. Many employers only use it as an email solution--it *is* overkill in most situations.
7. Non-standard keybindings. Ctrl+N isn't a new message but a new database for instance.
8. Deleting a message from the inbox also deletes any instance of it in any folder. IOW, doesn't copy a message, merely generates pointers.
I'm not a maven by any stretch of the imagination and I know that several of my problems would be solved if my employer were to make better administrative decisions (enabling POP access for instance). Still, I've never had to battle an email / groupware client like I've had to battle Notes when integrating an application with my established workflow.
@Actually ALL IBM software sucks
I work for the big blue and am forced to use Notes, the Rational tool suite, and that ghod forsaken CMVC system. ALL of these tools are crap! The new notes client is based in Eclipse and, while it runs faster on Linux, is still a hog. Why IBM can't figure out how to develop Notes and the Rational suite as Eclipse plugins that work together in one instance of Eclipse is beyond me. Running multiple instances of the IBM bloated Eclipse framework to handle mail and development and project tracking tasks kills my machine every time. On the other hand I do get to bill all that time to the customer.
IBM is becoming nothing more than a body shop, and lard laden project management company. If you are afraid of change hire IBM that should slow things down nicely.
ignorance in -> frustration out
Like *any* piece of software, if you approach it with total clueless incompetence you will not have a good time. Outlook *is* "shareware beta from 1993" - it's free on almost every computer, so it's hard to find someone clueless about it, which is a real shame because it gives you all these numpties who throw up their hands when they see something different.
To have someone look at the incredibly powerful full text search and then the handy and simple (just start typing) quick lookup and complain about it being a step too far / too many options just baffles me.
Of course people who know what they're doing will make money. Just like in almost any type of work. The fact that it's so easy to get an application functioning is almost one of the biggest drawbacks because you get people cranking out apps who really shouldn't be, and thus legions of users who come to places like this to vent their spleens about problems that could mostly be resolved with a little rtfm. If you have competent people administering and developing your Notes / Domino environment, and most importantly at least some basic training, then it can be a joy to use.
The previous 3 versions focused on things more important than making it pretty, but the current version was all about UI. So go and take a look at Notes 8 and then come back and tell us how ugly it looks.
Notes RULES, dumbasses
I'm a 10 yr PCLP certified Notes/Domino administrator and I can tell you after seeing just about every package going, Notes outshines the lot. Nothing can compete with it. It's solid and reliable. If you have issues with it, it's because you don't know what you're doing.
I've designed and built over 100 installations and managed infrastructures with 30,000+ users on it. It's rock solid. Exchange -wishes- it could be as good.
As for the admin rights thing - v6.00, 6.01 and 6.02 (I think) did need local privileges but that was fixed and has not been an issue since early 2005. I suggest you upgrade.
Even IBMers hate notes
I worked for a company swallowed up by IBM, and as soon as we were forced to use Notes, there was a a ton of man-hours spent developing a solution to get out of it. (It involved scripting in notes to push incoming email back out again to a sendmail server.)
What was interesting was all of the griping about Notes on the internal forums, and a total lack of participation from Lotus employees.
My solution involved leaving the company. Staying anonymous just in case they swallow my current company too. :-)
Admin Rights, etc...
I see that the admin rights caused a bit of a stir *sigh*. Yes we are using a very old version of the Notes client. (Phil wish we could upgrade but corporate policy prevents this currently). Like I said in the previous comment we are making use of 6.0x.
To be honest we did have a presentation by IBM on v8 and it really does look amazing. Will have to wait and see what the users think though.
P.S. I'm NOT a security expert by any stretch of the imaganation. However even I can say that installing an app forcing the user to be a local admin is a very bad idea. But then again maybe I should do a bit more searching on the IBM knowledge base as Phillip mentioned.
@ Pascal Monett
Excellent post. So true.
We were using Notes for mail only and when we migrated our servers from Windows to FreeBSD, Domino became a casualty. It doesn't run under Linux emulation.
As Notes doesn't work particularly well with imap, we went lightweight with Thunderbird. All the users want Notes back. Not because Thunderbird was bad, but because they really liked Notes. These are the same people that go home to a Dell installed Outlook.
It is too heavy for just mail. Add a few databases and it shines. If we could get Domino to run under OS X or FreeBSD we'd switch back.
Notes crap? Show me better...
Well, as a former Notes 4.2 user, I must say that I was impressed with it 9 years ago when my school started using it for the "LearningSpace" platform. Damn better than the loads of crap "web apps" that superseded them like BlackBoard or the internally-developed one after that.
One of the things I really, really liked was replication: I was able to do homework AND submit it on time *without* having to be online; something that was crucial in the dialup days of internet.
Apart from that, it had loads of stuff I didn't even know existed back then: PKI management (all logins use this), Access Levels, and loads of stuff. Oh, and we used it for everything *BUT* email. Maybe if you take out the email factor, you'll stop hating it.
Want to see ugly email? Try SAP R/3. Urk!
Lotus stands for:
Lots Of Trouble Usually Serious
(actually that was invented for the cars, but it's equally applicable to the software)
Another Notes detester
We were forced to switch to Notes 6.5 in my company, which has offices all over the world. We are set up so that all mail is stored on a central server. When checking for new mail, it is S.L.O.W. I don't use if for anything else. For a Calendar, I use Mozilla's Sunbird. I could not figure out how to get Notes to do what Sunbird does for me. I wish we were allowed to use Thunderbird at work. I should note that I work with a Windows 98 box with 120 meg of memory, which doesn't help.
My biggest beef with the centralized Notes, a few days ago, one of the offices opened an email that had a virus. Since then, none of us have been able to check our email at work.
Give me a stand alone Pop3 or Imap email client any day.
Buffer Overflow rarity
All the rampant Notes bashing aside... A "BO" can not in any sense be considered rare either as far as security bugs are concerned, as a sloppy programmer forgetting to do simple input validation is unfortunately all too common, so no, this is definitely not a rare bug, more like a dime-a-dozen bug found in yet another piece of software.
Back to the original topic
The security flaw is in Autonomy's Key View software. This is a 3rd party tool that ships with the Lotus Notes clients. It's the "view attachment" feature in Lotus Notes. Other companies, like Symantec and Oracle, also include the Key View software and have the same security flaw.
Lotus Notes - sucks?
Certainly Notes is a unique beast, I'll give it that. But the Domino server runs on almost anything - from Windows through linux to AS/400, Solaris, etc. So it can fit into most roadmaps without too much trouble.
The client.....let's not underestimate how much of a hog Outlook can be too, especially with the cludge setting to use Word as the mail editor...!!
To the person suffering CTRL-A and having to deselect manually - Edit - Deselect All. It's an educational problem (as are many things).
To those wanting POP or IMAP, you mean you want secure POP and IMAP?! The Domino server can offer this too, of course. My Domino server sits with 1352 open to the internet and forces all sessions to encrypt network traffic (that is, once you've authenticated successfully). At the same time, I can use SSL to get to webmail to send and receive emails - all pretty much out of the box.
The Notes client is so unpopular, what with only 120 million seats out there (allegedly) that it's not targetted by the kiddies. Of course a badly-implemented installation with no antivirus, antispam and so-on (especially at the perimeter) can be a liability - but you can't blame Lotus Domino for that.
We have over 100'000 Notesmail users and our solution for this problem is simple; delete the offending DLL from the package and remove it from PCs.
Lotus Notes sucks? Yes, sometimes. But on the whole, it does many, many things very, very well....
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Product round-up The Glorious Resolution: Feast your eyes on 5 HiDPI laptops