Lotus Flaw Threatens Email Security
January 10, 2001
Lotus has given the highest priority to fixing a security hole in its Domino messaging system which could allow junior employees to read the email of the most senior figures in companies using the software.
The exploitable gap in the system's security was reported to the moderated industry mailing list bugtraq late on Monday. It prompted some consultants to inform clients that they had no secure alternative but to close down their email servers until a workaround was published.
The gap allows any authorised user of the Domino mail system to gain access to any mailbox in the system by modifying the traffic between their client and the Domino server or by modifying the client software itself.
The problem remains even if the system administrator has set up access control lists, and allows the most junior clerk to gain access to the boss's email if he or she can follow the now published procedure.
However, it appears that the problem is dependent on how Domino has been configured and may only affect some users. Security industry professionals began posting suggestions for a workaround late on Tuesday, and Lotus has now published a workaround on its www.notes.net website.
A spokeswoman for Lotus said the company was aware of the issue and hoped to have a patch ready by 13 January. She added that a full statement has been posted on the Notes/Domino Gold release Forum at the notes.net website.
Experts said they were not surprised that such a problem had been discovered and predicted that more would come to light as security professionals switched their focus from Microsoft products to those of other vendors.
Paul Rogers, network security analyst at MIS Corporate Defence Solutions, said: "It was only a matter of time before a serious vulnerability was discovered in Lotus, or a similar messaging system, as security professionals start to put them under the same degree of scrutiny as they do products from Microsoft."
To see more of VNUNet go to http://www.vnunet.com
© 2001 VNU Business Online Limited (UK