Daniel Nashed 3 May 2013 16:16:42
There is an issue in the Notes client that you should be aware of.
heise Security has posted about this issue yesterday -->http://www.h-online.com/security/news/item/Huge-Java-hole-in-Lotus-Notes-1855406.html
There have been issues with the underlaying JVM which makes it more critical.
This can be done via notes.ini, Preferences and you can also distribute it via Desktop policies and lock it down.
A paranoid administrator would have already disabled it when the first issues with Java security have been reported a while ago (not just the IBM JVM but also the Oracle JVM).
There is a Interims Fix available since yesterday which does not allow this functionality in HTML email. Also the just released 8.5.3 FP4 and also 9.0 are affected.
You don't need to install the fix asap. But you should disable the functionality using policy settings as a short term solution at least.
I agree that his can be a potential risk and also would rate it quite high. At the time it was implemented customers wanted to have this new flexibility.
It would have been just good to be able to control it in main with a separate setting and have it disabled by default.
- Comments