Symantec United States
global sites
service and support
security updates
about symantec

©1995-2014 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy

security updates

Can Lotus Notes Mail be attacked using LotusScript?

Last Updated on: February 9, 2006 09:48:05 AM CST

There have been reports that a security vulnerability in Lotus Notes Mail allows a user to create a malicious LotusScript (an internal, interpreted language) that can be executed without the direct control of the script creator. We have confirmed that although this is possible, it is considered to be highly unlikely. If Notes is configured properly, it will prevent such an attack.

The Lotus Notes client has a built-in, configurable security feature: The Execution Control List (ECL). The ECL controls the actions that executable code is allowed to perform in a Notes document. The ECL is a digital-signature-based system. ActiveX controls, however, when contained in a Notes message, are seen by Notes as having -No Signature-. If your ECL is configured--as Lotus recommends--to deny all access to code with -No Signature-, this attack will fail. We strongly recommend this ECL setting. The ECL can be centrally managed and pushed out to all Notes clients in a Notes domain.

Even if the ECL is not configured properly, this attack will have only a chance of working within the Lotus Notes environment. The attack relies on LotusScript code, which cannot be contained within an SMTP message. This means that any attacker must be on the inside of your Notes network and can easily be tracked down through the Domino server logs.

Write-up by: JP Duan