IBM Notes accepts Java applet and JavaScript tags inside HTML

Daniel Nashed  3 May 2013 14:16:42

There is an issue in the Notes client that you should be aware of.
heise Security has posted about this issue yesterday -->http://www.h-online.com/security/news/item/Huge-Java-hole-in-Lotus-Notes-1855406.html

Notes did allow Java/JavaScript and Applets in emails for a long time. I have tested with and old Notes 7 client today.
There have been issues with the underlaying JVM which makes it more critical.

In Notes you can control as described in the article and also in the IBM technote released yesterday -> http://www.ibm.com/support/docview.wss?uid=swg21633819 how you can disable Java/JavaScript and Apples in the Notes client.
This can be done via notes.ini, Preferences and you can also distribute it via Desktop policies and lock it down.
A paranoid administrator would have already disabled it when the first issues with Java security have been reported a while ago (not just the IBM JVM but also the Oracle JVM).

And you can also change the ECL settings for Java and JavaScript locally on your workstation or deploy it centrally to avoid that unsigned code can be executed. This would even work with an older Notes 7 client.

The issue reported is that the Notes client does generally execute Java/JavaScript and Java Applets in HTML mail by default.

There is a Interims Fix available since yesterday which does not allow this functionality in HTML email. Also the just released 8.5.3 FP4 and also 9.0 are affected.

You don't need to install the fix asap. But you should disable the functionality using policy settings as a short term solution at least.

I agree that his can be a potential risk and also would rate it quite high. At the time it was implemented customers wanted to have this new flexibility.
It would have been just good to be able to control it in main with a separate setting and have it disabled by default.

-- Daniel

• Comments [1]