Java applets run wild inside Notes Attackers with a desire to rummage around inside the PCs of Notes users can do so merely by sending HTML emails containing a Java applet or JavaScript, IBM has admitted in a security advisory. Full Disclosure describes the effects as potentially nasty, saying "This can be used to load arbitrary Java applets from remote sources …
> Lucky almost no one still uses Notes then...
You would be surprised, it's one of those dirty little IT secrets like IE6 only intra-nets.
Several of my customers use it. You can tell instantly as (for a reason I can't work out) they are the only ones who's mail never has a subject line.
We used F5 until a couple of years ago, when we thankfully migrated to corporate gmail. Huge parts of our internal company systems were built around Notes/Domino, it was utter hell (and so magical once completed). When the last Notes server was decommissioned, the infra guys ritualistically used a sledgehammer to utterly destroy it.
Oh yes. And at one place where they used Notes there was a function key (might have been F4) which would just hang Notes. You know you're in trouble when there's an item in the Windows start menu specifically to kill Notes!
I was happy when I switched jobs and went back to Outlook *shudder*.
Yep, not so much a "bad smell" as the stench of failure: the vendor providing an app whose sole function is to run through a list of about 40 other Notes processes killing them all, simply to allow the successful relaunch. Presumably the interconnects and dependencies between the processes are such that they must be started in a specific sequence and can't accommodate re-connection - probably not a trivial task but at the least Notes could detect this state and do the zapping automatically. Instead it became one of the hazing rituals for the new guy in the office: after Notes crashes how long will he spend wrestling with bizarro error messages and manually hunting down "Lotus Corporation" processes in Task Manager before asking for help?
At least the Lotus developers had some idea of how unstable their product was - some versions deployed to me forcibly set the "Dr Watson" handler (ie AEDebug registry key) to the Lotus fault reporting utility. Annoying - since us code monkeys had the key already nicely set for JIT crash debugging of crashes - but also grimly amusing that every time anything crashed on the PC "Notes" would shyly raise its hand and say "probably it's my fault - do you want to file a bug report?"
What always makes me laugh about these Java bugs is that they seem to always involve the use of 'applets'. People are rushing to tell us how they found some new exploit through using Java applets and they feel so proud of themselves for finding bugs in the code, yet no-one ever seems to mention how nobody has used applets since 2004.
A fix was uploaded to Fix Central for 8.5.4 yesterday and for 9.0.0 this morning. dmurray, you're right, it was 8.0 in 2007. It's possible that the company is using the basic client rather than the standard client. But if not, it's well worth upgrading. Java applets in Notes client apps tend to be rare, from over 10 years' experience as a Domino Developer.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
