search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers

Vulnerability Note VU#126159

Original Release Date: 2011-06-07 | Last Revised: 2012-06-04

Overview

Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers. These vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.

Description

Autonomy Keyview IDOL is a set of libraries that can decode over 1,000 different file formats. The Autonomy Keyview IDOL libraries are used by a variety of applications, including IBM Lotus Notes, Lotus Domino, Symantec Mail Security, Hyland OnBase, and many others. These vulnerabilities result from a number of underlying issues. Some of these cases demonstrated memory corruption with attacker-controlled input and could be exploited to run arbitrary code. For example, code execution was verified by CERT/CC for a stack buffer overflow in the .WRI file parser.

Impact

By causing an application to process a specially-crafted file with the Autonomy Keyview IDOL library, a remote, unauthenticated attacker may be able to cause an affected application to crash, resulting in a denial of service, or executing arbitrary code with the privileges of the vulnerable application. Depending on what application is using Keyview IDOL, these may happen as the result of some user interaction, such as single-clicking on a file, or it may happen with no user interaction at all.

Solution

Apply an Update

Autonomy has released version 10.13.1 of Keyview IDOL to address these issues.

Autonomy customers can download the update from Autonomy's Customer Support website.

The following versions of Symantec products have been released to address these vulnerabilities. Symantec customers may retrieve these versions through their normal support methods.

    • Symantec Mail Security for Microsoft Exchange 6.5.6 or 6.0.13
    • Symantec Mail Security for Domino 7.5.12 or 8.0.9
    • Symantec Brightmail and Messaging Gateway 9.5.1
    • Symantec Data Loss Prevention 11.1.1
If you are unable to apply an update to address these vulnerabilities please consider the following workarounds.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Workaround for IBM Lotus Notes

Delete the keyview.ini file in the Notes program directory (C:\ProgramData\Lotus\Notes\Data\Shared).
This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."

Delete or rename the affected DLL file.
After removing the dll file, when a user tries to view a file that requires that viewer, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message.

Comment out lines in keyview.ini that reference affected DLL file.
To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."

[KVWKBVE] --> this is the section of the keyview.ini
;188=xlssr.dll ---> this would be the result of the Excel dll commented out

Workaround for Symantec Mail Security

Symantec Mail Security is susceptible only if the attachment content scanning option is enabled.

To disable the content filtering rules for Symantec Mail Security for Microsoft Exchange:

    • Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules
    • Ensure that all rules using attachment content are "disabled"
To disable the content filtering rules for Symantec Mail Security for Domino:
    • Select the "Content Filtering" tab to display the list of current enabled rules
    • Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red "X", and disabling the rule

Vendor Information

126159
Expand all

Autonomy

Notified:  February 03, 2011 Updated:  March 18, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CA Technologies

Updated:  March 21, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CA DLP 14.0 contains Autonomy Keyview.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  March 16, 2011 Updated:  March 30, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The vulnerabilities have been addressed in RSA DLP 8.5 SP1 P1, RSA DLP 8.8 and all subsequent releases.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hyland Software

Notified:  March 18, 2011 Updated:  March 18, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  February 07, 2011 Updated:  March 18, 2011

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

McAfee

Notified:  March 08, 2012 Updated:  March 21, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

McAfee Host Data Loss Prevention 9.1 uses Autonomy Keyview.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Palisade Systems

Updated:  June 04, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Proofpoint

Updated:  May 22, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec

Notified:  February 07, 2011 Updated:  March 21, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20111006_00

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trend Micro

Updated:  May 22, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Verdasys

Updated:  June 04, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WebSense

Notified:  March 29, 2012 Updated:  April 18, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Websense has released version 7.6.3 of their TRITON Data Security product to address these vulnerabilities. Users with a current support contract can download the updates from the Websense support portal.

Addendum

Websense TRITON Data Security 7.6 includes Keyview 10.11, which is vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Adobe

Notified:  March 16, 2011 Updated:  March 18, 2011

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  March 16, 2011 Updated:  March 30, 2012

Statement Date:   March 18, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Cisco IronPort uses RSA DLP components, which contain Autonomy Keyview. RSA DLP 8.5 SP1 P1, RSA DLP 8.8 and all subsequent releases have addressed these vulnerabilities. It is unknown at this time if Cisco IronPort products contain a vulnerable version of RSA DLP.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Citrix

Notified:  March 16, 2011 Updated:  March 16, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  March 16, 2011 Updated:  March 16, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Iron Mountain

Notified:  March 31, 2011 Updated:  March 31, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc.

Notified:  March 16, 2011 Updated:  March 16, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenWave

Notified:  March 16, 2011 Updated:  March 16, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  March 16, 2011 Updated:  March 16, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sybase

Notified:  March 16, 2011 Updated:  March 16, 2011

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 9.0 AV:N/AC:M/Au:N/C:C/I:C/A:P
Temporal 7.4 E:F/RL:OF/RC:C
Environmental 7.4 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

These vulnerabilities were reported by Will Dormann and Jared Allar of the CERT/CC.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Severity Metric: 50.18
Date Public: 2011-06-07
Date First Published: 2011-06-07
Date Last Updated: 2012-06-04 13:06 UTC
Document Revision: 80

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.