Not logged in » Login
Feb 13 2018

IBM Patches Update Service for Notes

Users who still rely on Big Blue's legendary groupware may have a busy week ahead: According to a recently elevated security alert, the program's auto-update service (aka iNotes SUService) and the related client application can be tricked into "running malicious code from a DLL masquerading as a Windows DLL in the temp directory." Since most users consider auto-updaters to be inherently trustworthy, a flaw in these tools provides an elegant and extremely dangerous attack vector for miscreants to hijack the software and steal confident information or take control of affected machines.

Per IBM's alerts here and here, the bug – which is listed as CVE-2017-1711 in the Common Vulnerabilities and Exposures database – amounts to a privilege escalation flaw and affects the following releases of IBM Notes and IBM Client Application Access:

  • IBM Notes 9.0.1 to 9.0.1 FP10
  • IBM Notes 9.0 to 9.0 IF4
  • IBM Notes 8.5.3 to 8.5.3 FP6 IF15
  • IBM Notes 8.5.2 to 8.5.2 FP4 IF3
  • IBM Notes 8.5.1. to 8.5.1 FP5 IF3
  • IBM Notes 8.5 release
  • IBM Client Application Access 1.0.1
  • IBM Client Application Access
  • IBM Client Application Access Interim Fix 1

Fixes are available for IBM Notes Standard 9.0.1 FP10IF1 and IBM Notes Basic 9.0.1 FP10IF1 as well as IBM Client Application Access IF2; customers relying on older versions may open a service request under the moniker SPR# PPUEASNC5D.

The bug was originally detected by Lasse T. Borup, a researcher with the Copenhagen-based security outfit Improsec ApS. He first ran into it over the course of last year when doing Windows security reviews for customers and reported the issue back to IBM, who published a first warning in mid-November. Just why Big Blue is pushing the issue once again remains unclear; users looking for comprehensive info will find more details in Borup's 3-part study that's available via Improsec's blog.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now