Vulnerability Note VU#959207

Lotus Notes Java VM leaks file existence through timing difference in ECLs

Original Release date: 14 May 2001 | Last revised: 30 Mar 2006

Overview

Lotus Notes JVM leaks information about the existence of a file.

Description

A malicious Java applet run in the Lotus Notes web browser can determine if a local file exists. Notes' preferences must be set to browse the web using the Notes browser, with execution of Java applets enabled.

When a Java applet tries to access local files, Lotus Notes presents a dialog box to the user asking whether access should be allowed. It only presents this dialog after checking if the local file exists; if it does not exist, the dialog is not shown. Thus, if the applet can determine whether the dialog was shown, it will know whether the file exists.

If the dialog is shown, it will take some time for the user to notice it and click a button to dismiss it. The applet can detect whether the dialog was shown by checking the times before and after trying to access the local file. If the dialog was not shown, the time difference will be very small, while if the dialog was shown, the time difference will be substantially longer. Based on the time difference, the applet can determine if the dialog was shown and therefore whether the local file exists.

Impact

By checking for the existence of certain files, an attacker can learn what software is installed and what programs have been executed recently on the client machine. However, the attacker cannot read or modify any files through this vulnerability.

Solution

Lotus plans to fix this issue in a future release of Notes.

Disable execution of Java applets in Notes preferences. For more details, see http://www-1.ibm.com/support/docview.wss?uid=swg21102440.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Lotus SoftwareAffected03 May 200130 Mar 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Hiromitsu Takagi for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CVE-2000-1117
  • Date Public: 28 Nov 2000
  • Date First Published: 14 May 2001
  • Date Last Updated: 30 Mar 2006
  • Severity Metric: 0.06
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.