back to article Java applets run wild inside Notes

Attackers with a desire to rummage around inside the PCs of Notes users can do so merely by sending HTML emails containing a Java applet or JavaScript, IBM has admitted in a security advisory. Full Disclosure describes the effects as potentially nasty, saying "This can be used to load arbitrary Java applets from remote sources ( …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

One can't help but wonder...

Do the companies leave such blatant backdoors in their corporate software on purpose, and close them only when they're discovered? Oh, sorry, i meant bugs.

0
2
Anonymous Coward

Re: One can't help but wonder...

No, if it had been an intentional feature of Lotus Notes then it wouldn't have worked properly and no-one would have figured out how to use it anyway.

22
0
Bronze badge
Mushroom

Re: One can't help but wonder...

Lucky almost no one still uses Notes then...

1
1
Anonymous Coward

Re: One can't help but wonder...

> Lucky almost no one still uses Notes then...

You would be surprised, it's one of those dirty little IT secrets like IE6 only intra-nets.

Several of my customers use it. You can tell instantly as (for a reason I can't work out) they are the only ones who's mail never has a subject line.

0
0
Anonymous Coward

Re: One can't help but wonder...

I thought that! But my misses works for a big American corporate and they still use notes

0
0
Anonymous Coward

Re: One can't help but wonder...

IBM - Insert Bug under Mask

0
0
Anonymous Coward

The problem affects Notes 8.5.3 and the new Notes 9

This must be the reason we never upgrade software, so long as we don't get up to 8.5.3 we're safe.

0
0
Silver badge
FAIL

Seems no one remembered the stupidity of Outlook running attachments.

Why did anyone think it is a good idea to run, even in supposedly sandboxed code, anything that comes in to your machine?

3
0
Facepalm

I recently changed company, to be greeted by the horrible realisation that they use Notes. Do people actually opt to use this disgusting software? Or are all users in the middle of a plan for replacing it? It's just unusable!

My favourite Notesism so far: F5 to logout. *facepalm*

1
1
WTF?

What version are you using?! F5 has been used for refresh for a good number of years now, at least since 8.5 if not 8!

1
0
WTF?

Notes weirdness

Oh yes. And at one place where they used Notes there was a function key (might have been F4) which would just hang Notes. You know you're in trouble when there's an item in the Windows start menu specifically to kill Notes!

I was happy when I switched jobs and went back to Outlook *shudder*.

0
0
Silver badge

We used F5 until a couple of years ago, when we thankfully migrated to corporate gmail. Huge parts of our internal company systems were built around Notes/Domino, it was utter hell (and so magical once completed). When the last Notes server was decommissioned, the infra guys ritualistically used a sledgehammer to utterly destroy it.

1
0
Bronze badge

Did you sledgehammer the Notes/Domino admins to?

1
0
Bronze badge
Terminator

Replace it, I want to go back!

0
0

Re: Notes weirdness

From a users POV outlook may well be the easier option, there is an Outlook connector for use with Domino, however from an Admin's POV, Domino is vastly superior to dealing with Exchange.

3
0
Silver badge

No, they were already broken.

0
0
Bronze badge
Devil

ZapNotes

Yep, not so much a "bad smell" as the stench of failure: the vendor providing an app whose sole function is to run through a list of about 40 other Notes processes killing them all, simply to allow the successful relaunch. Presumably the interconnects and dependencies between the processes are such that they must be started in a specific sequence and can't accommodate re-connection - probably not a trivial task but at the least Notes could detect this state and do the zapping automatically. Instead it became one of the hazing rituals for the new guy in the office: after Notes crashes how long will he spend wrestling with bizarro error messages and manually hunting down "Lotus Corporation" processes in Task Manager before asking for help?

At least the Lotus developers had some idea of how unstable their product was - some versions deployed to me forcibly set the "Dr Watson" handler (ie AEDebug registry key) to the Lotus fault reporting utility. Annoying - since us code monkeys had the key already nicely set for JIT crash debugging of crashes - but also grimly amusing that every time anything crashed on the PC "Notes" would shyly raise its hand and say "probably it's my fault - do you want to file a bug report?"

1
0
Anonymous Coward

Re: Notes weirdness

"You know you're in trouble when there's an item in the Windows start menu specifically to kill Notes!"

Deutsche Bank springs to mind...

0
0
FAIL

What always makes me laugh about these Java bugs is that they seem to always involve the use of 'applets'. People are rushing to tell us how they found some new exploit through using Java applets and they feel so proud of themselves for finding bugs in the code, yet no-one ever seems to mention how nobody has used applets since 2004.

0
0

Fix Already Available

A fix was uploaded to Fix Central for 8.5.4 yesterday and for 9.0.0 this morning. dmurray, you're right, it was 8.0 in 2007. It's possible that the company is using the basic client rather than the standard client. But if not, it's well worth upgrading. Java applets in Notes client apps tend to be rare, from over 10 years' experience as a Domino Developer.

2
0
Flame

They're honest

They named them Domino servers, because if you give one them a little push, they all fall down.

0
0
This topic is closed for new posts.

Forums