back to article If you haven't already killed Lotus Notes, IBM just gave you the perfect reason to do it now, fast

IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code. In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp …

Silver badge
Alien

IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.

I thought notes WAS the malicious code.

55
9
Anonymous Coward

IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.

I thought notes WAS the malicious code.

They're just afraid Blotes might run *better* afterwards...

3
3
Silver badge

Old joke is still best joke.

Have an upvote Fozzy!

0
2
Silver badge

Wakka wakka!

1
2
Anonymous Coward

I find it amazing that there are companies that can run their business on shite like Lotus Notes, and seem to just bounce from disaster to disaster, Notes, CMSynergy, Sharepoint, TFS etc etc....

Do people not even bother with product evaluations, and just assume because its IBM or Microsoft, its going to be great. The era of nobody getting fired for buying Microsoft or IBM is long gone, you ARE accountable now...

2
4

There are two kinds of people, those who understand what Notes is and what it can do (very rare) and then there are people who don't but slag it off anyhow.

3
0

CVE-2018-1383

affected fileset is bos.cluster.rte, so this should be within the CAA subsystem. Probably something with guessing cluster and node id and then impersonating another node. The kind of "exploit" which only works if you already have extensive knowledge, priviledge and time within the network on your hand.

5
2

Re: CVE-2018-1383

" extensive knowledge, priviledge and time "

Like governments

6
2
Anonymous Coward

Re: CVE-2018-1383 @Seven

Methinks you've seen some of the internal documentation! Some scuttlebutt appear to suggest that this is indeed the problem.

AIX will only have this fileset if it's in some form of cluster, so non-clustered AIX systems will not suffer from this vulnerability.

0
2

Re: CVE-2018-1383 @Seven

Unfortunately I have not seen internal documentation, otherwise I wouldn´t be working here[tm]. I do have quite some experience with IBM though.

CAA is always with AIX, though hacmp these days uses it for topology services. If it would affect only hacmp I would have been unable to pin it down to caa, hacmp pobably has enough holes on its own.

1
1
Silver badge

Re: CVE-2018-1383 @Seven

I took the efix apart yesterday (publicly available to anybody and can be examined using anything that understands tar), the description is "ABSTRACT=CAA clcomd fix", and the only thing that is shipped with it is a replacement for /usr/sbin/clcomd.

Whilst it is true that this fileset is shipped as part of AIX (although only usable on Standard and Enterprise edition, not Express), it is only needed on systems that are clustered in some way. I know it is needed by System Mirror PowerHA (HACMP), but I suspect that it may also be used by some of the other cluster services like Spectrum Scale Storage (GPFS) and maybe other things that uses RMC/RSCT, although it is not used for communication with the HMC.

The published APARs contain virtually no information about the nature of the vulnerability, so it would require internal knowledge to definitively know what the problem is.

Maybe the AC who replied to you actually has seen something to confirm your guess.

I am currently involved in running a mixed estate of clustered and non-clustered (PowerHA) AIX systems, and clcomd is generally not running on the non-clustered systems.

3
1
Silver badge

Re: CVE-2018-1383

> The kind of "exploit" which only works if you already have extensive knowledge, priviledge and time within the network on your hand.

Or if you pick up a script that can work out all that stuff for you, I expect.

0
1

I wonder how many customers are even using this feature.

I seem to recall that it arrived in Notes 6.x, but required admin rights on the machine or Windows local admin credentials stored in the Notes infrastructure. It was a nice idea, but implementing it tended to make security teams antsy. Later versions (7+) improved it, but frankly not quite enough.

As such, whilst it wasn't a bad feature, most companies went with a third party packaging/deployment tool that could also handle all their other software. Investing the time and effort into Smart Upgrade just to get Notes upgraded wasn't worth the hassle if you could instead get something else to do the job for all your software.

If this feature had shipped five or ten years earlier, it would have gotten widespread adoption. But I always felt it was just a little too late. I'm sure some customers are using it, but I'd bet that the vast majority aren't.

Disclaimer: I'm no longer working with Notes. Nor, for that matter, with Exchange. The cloud has pretty much killed the messaging employment market. (There's a lot of migration jobs, but that's not exactly a career...)

25
0
Anonymous Coward

Using %windir%\temp is very bad programming practice which shows the age of Notes - and which was never fixed, it looks. Nowadays everything under the Windows directory should be regarded as OS private, and, unless you're writing OS extensions, you should never mess with its contents, nor require the privileges to be able to write within. If you can mess there, usually you can mess the whole system.

Moreover, anything you download and run should be signed with a certificate you trust, and still run with the minimum privilege required.

24
0
Silver badge

Not even IBM,...

... IBM used to use an in house (or rebadged) tool called ISSI (IBM Standard Software Installer) to upgrade applications. So the largest user base out there didn't use this feature.

19
0
Silver badge

...about as bad as writing anything into the "program files" directory when the writer is not an installation or update process.

Oh wait, lots of extremely poorly written applications still seem to think that this tree is a good location for data or log files.

13
0
Silver badge

How many? You would be surprised. I know I was. There are still many companies using this world wide. Rather large companies at that.

Sorry, can't name names on this one. Confidentiality and all that.

0
0
Silver badge

Coop Bank, Sopra Steria, IBM . . .

1
0
Silver badge

> Sorry, can't name names on this one. Confidentiality and all that.

Embarrassment rather than confidentiality, I suspect.

1
0

I was a Notes admin at IBM for a decade and never saw a customer use the auto update service.

16
0
Anonymous Coward

Notes is still a thing???!!

You mean people are still using it??!! :-O

10
6
Silver badge
Windows

Re: Notes is still a thing???!!

You mean people are still using it??!! :-O

Well, people are also still using Outlook, I know, crazy!

23
8
Silver badge
Coat

Re: Notes is still a thing???!!

"You mean people are still using it"

Odd, they're all going down like Dominos

26
2
Anonymous Coward

"Well, people are also still using Outlook, I know, crazy!"

Yes, it's incredible the "big open source community" could never deliver anything better than Outlook, and even Thunderbird is suffering lack of support.

32
4
Anonymous Coward

Re: "Well, people are also still using Outlook, I know, crazy!"

>>even Thunderbird is suffering lack of support.

I worked on and used Thunderbird for a long time but gave up a few years ago when it became very clear that Mozilla didn't really give a damn about it. It had potential but it was never anywhere near Outlook in terms of functionality or ease of use, tbh it was like Windows 2000 era Outlook Express (and about as nice to look at) but slightly less dangerous to use.

But hell, back when I was working on it and using it, the damned thing didn't even have a built in calendar. You had to install an extension. And Sunbird, the "official" Calendar extension kind of sucked.

On the plus side, the Enigmail extension was pretty easy to use for encrypted email, provided you knew how to use GnuPG, so it wasn't all bad, just disappointing.

15
1
Silver badge

Re: "Well, people are also still using Outlook, I know, crazy!"

>Yes, it's incredible the "big open source community" could never deliver anything better than Outlook

There is Zimbra...

1
6
Anonymous Coward

Re: "Well, people are also still using Outlook, I know, crazy!"

Has Zimbra a desktop client? Web client solutions are useless to Outlook users.

We're talking about Outlook, not Exchange, even if of course Outlooks is designed to work with Exchange, but a lot of people choose Exchange exactly because it has a desktop client like Outlook, not viceversa.

10
1

Re: Notes is still a thing???!!

You compare the cost of migrating off it to the cost of leaving it alone

5
0
Anonymous Coward

Re: Notes is still a thing???!!

Notes is still a thing for IBMers, those that haven't been "voluntary redundancy"d

1
1
Silver badge
Thumb Up

Re: "Well, people are also still using Outlook, I know, crazy!"

I use it at home to monitor my three webmail accounts. It works OK...for what I do with it.

Sure wish there was some real competition for Outlook from the open source community.

I think part of the problem might be that it's such a moving target, what with features and protocols seemingly changing drastically with every release.

// wouldn't mind a (file-compatible) replacement for Project and Visio, while I'm wishing...

3
0

Re: "Well, people are also still using Outlook, I know, crazy!"

I don't think Thunderbird ever aimed at being a replacement for Outlook, though having a calendar is handy (and lightning is integrated now), it's a mail client and still does that well. Evolution was meant to be an Outlook-equivalent, but I haven't used it for anything other than the address book in years.

2
0
Silver badge

Re: "Well, people are also still using Outlook, I know, crazy!"

could never deliver anything better than Outlook

Because Outlook is not something to be admired, it's a mahoosive vendor lock in masquerading as a feature full email client. FOSS follows KISS, Outlook does not.

13
2
Silver badge
Pint

Re: "Well, people are also still using Outlook, I know, crazy!"

>Has Zimbra a desktop client?

https://www.zimbra.com/zimbra-desktop/ :)

BTW I'm not suggesting Zimbra is a wonderful all singing-and-dancing replacement for Outlook, just answering the original question...

1
0
Silver badge
Windows

Thunderbird != Outlook

not even close.

The one thing about Outlook - for better, for worse, is it integrates calendar and email as seamlessly as a clueless user needs.

One thing about being out of the corporate fold, and using Linux for *everything* is you realise how good MS were where it counts.

That said, I never understood why even Outlook couldn't match calendar entries and OOO so that if you accepted a meeting as OOO, your Outlook wouldn't automatically switch OOO on ???????

4
0
Silver badge

Re: "Well, people are also still using Outlook, I know, crazy!"

Zimbra has become a bloated mess, and an albatross around whichever company happens to own it at any given time. Citadel is a true open source alternative and people love it.

0
0
Silver badge

Re: "Well, people are also still using Outlook, I know, crazy!"

That's harsh imo. It's still in use because it's easier to give everyone it rather than split the user base into ordinary and power users (generally sales or customer facing).

And it has *no* real competitors.

1
0
Silver badge

Re: Thunderbird != Outlook

Serious question here: Why is having a calendar in your email client a good thing?

Every time Outlook is discussed this comes up as its main advantage - and I just don't get it. Sure I see that having some good calendar functionality is useful, but its not something I ever see as related to email (reminders being sent to your inbox being the obvious exception).

2
1
Anonymous Coward

Re: Thunderbird != Outlook

It's not just the calendar itself. It's the groupware functionalities. You can check people, rooms, etc. availability while setting up a meeting, find the slot you need, have mail sent automatically, add documents to the meeting, and be notified about who accept and who don't. When you accept your calendar is automatically update, and you can add notes or items to the response. You can also move the meeting and updates to everybody happens automatically. You can also open other people mailboxes or calendars and operate on them , if you have the permissions. Very useful for assistants, and they do that with their login and with given permissions, no need to share passwords and give full unfettered access , and everything is logged. You can also have shares ones.

All features that are overkill for single users or small groups, but are very useful for medium and large organizations.

Outlook is not a mail client with added features, is a groupware client which includes email.

Notes paved the way, but it kept an ugly UI and made many features less usable. Outlook introduced many new UI elements, .i.e. the grouping tables, the Outlook bar, which made its use far more practical and productive

7
0
Silver badge

Re: Thunderbird != Outlook

Thanks for that insight, but all of that is really a feature of exchange I guess, and not of the "email client" as such.

2
1
Anonymous Coward

KISS...

Yes, but in this case it means Keeping It Subpar, Sorry.

It is true that Outlook is also a big lock-in into Exchange, but if FOSS ever delivered something comparable, many would have had switched happily. There's a limit to simplicity, past which it just means lack of power and features.

Outlook offers a very well designed and powerful GUI to let the user manage groupware items quickly and comfortably.

Unluckily FOSS is often not able to deliver great GUI applications. One reason is probably the fragmentation of desktops manager, widgets and graphic libraries. Another is the lack of good GUI development tools and libraries, which are not easy to code. Up to the point that most GUI applications are written in Java, with all the disadvantages of a memory hungry VM and slow UI.

That's also a big roadblock to broaden Linux desktop usage, not everybody likes a command line or a browser.

2
0
Anonymous Coward

Re: "Well, people are also still using Outlook, I know, crazy!"

A Java client? OMG!

Java, one of the few things that are as bad as Notes to have installed. Only Flash is worse.

3
0

This post has been deleted by its author

Anonymous Coward

Re: "Well, people are also still using Outlook, I know, crazy!"

I would prefer GSuite any day of the week over Notes or Outlook, its also vastly more secure and much cheaper too. You would have to be insane to not try it out. Things that used to be hassle are now totally seamless.

The era of installing applications is dead.

1
2
Silver badge

Re: Thunderbird != Outlook

>Serious question here: Why is having a calendar in your email client a good thing?

You're approaching this from the wrong direction the question is why is having Email in your PIM/groupware client a good thing?

Remember MS were (as usual) coming from behind: they didn't have a PIM - a market being lost to Lotus Organiser (and others), they didn't have an email client that could stand against Lotus cc:Mail (and others), plus they didn't have a groupware/collaboration platform, unlike Lotus with Notes. In this context Outlook/Exchange had to cover a lot of bases in quick order, fortunately for MS, Lotus had shown the way, MS were able to avoid the worst pitfalls and use hype to unseat Lotus...

So returning to your question, the answer is because you only need to purchase a single client licence...

3
0
Silver badge

Re: "Well, people are also still using Outlook, I know, crazy!"

> ... anything better than Outlook...

Outlook is a monolithic chunk of stuff that doesn't all belong in one application, unless the intent is to brick users up into a lucrative silo.

1
0
Silver badge

Re: Thunderbird != Outlook

> ... a clueless user ...

And there you have it.

In this case, "clueless" meaning "can't tell the difference between a message and an event" (i.e. email and calendar).

0
0
Silver badge

Re: KISS...

"Outlook offers a very well designed and powerful GUI"

Used to. That was the greatest advantage MS had, and of course they had to fix it.

2
0
Anonymous Coward

Re: "Well, people are also still using Outlook, I know, crazy!"

gliffy.com may work for you as regrads replacing Visio....

0
0
Silver badge

Bloated goats still alive?

2
0
Bronze badge

Power8/9 get fixes, older chips out of service, yet I bet big blue are still milking service contracts for some users and leaving them vulnerable and typical of tech companies, abandoning their hardware to promote inbuilt obsolescence !

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018