News.com: IBM patches Lotus flaw

February 11 2006

CNET and others have reported on new security patches that were already included in Notes 6.5.5 and now this week are available in Notes 7.0.1.

IBM has issued a patch for a half dozen "highly critical" security flaws in versions of its Lotus Notes, which could allow a malicious attacker to execute arbitrary code remotely when users access files through the Notes attachment viewer.
I acknowledge a left-hand right-hand problem here.  I made a particularly boastful claim about the Notes client not having had to be security patched over the years during one of my Lotusphere sessions, while we had in fact put such a patch in the most recent version of the code.  My mistake.  However, I'd still take Notes/Domino's history in the security space over 20 other enterprise software products -- they thought it out right at the start, and even in this case, the file viewers are somewhat orthogonal to the "core" code.

Link: News.com: IBM patches Lotus flaw >
Link: Lotus.com/security (updated technotes) >

Ed Brill Highland Park, IL USA Category:  Lotus  Add/View Comments [10]

Post a Comment

  1. 1  Steven Byrne  | 2/11/2006 4:04:08 PM

    Just to confirm 655 and 701 have the patches already, so if you are on those versions there is nothing additional that needs to be done at this time?

  1. 2  Chris Bordeleau http://chris.bordeleau.net | 2/11/2006 4:53:29 PM

    How ever big of a deal it was that Notes went 16 years without a security bug I think it was a bad idea to add this to the session and then two weeks latter release a security patch. Making note of the MS Outlook patch the week before Lotusphere even worsens the scenario.

    One security patch in 16 years is a very good record. It could have stood on it own. Now it seems somewhat tarnished.

    Link to my Blog entry on the subject { Link }

  1. 3  Paul Mooney http://www.pmooney.net | 2/11/2006 8:56:02 PM

    @ed

    are little trolls allowed here Ed? (previous post)

  1. 4  Ed Brill www.edbrill.com | 2/11/2006 10:34:35 PM

    Yes, I've deleted the troll's comment.

    @2 Chris -- I get this. My 'mea culpa' in ths posting is that I honestly didn't know about this pending security issue when I presented at Lotusphere. That's the "left hand right hand problem", and I'm taking full responsibility for it by blogging about it.

  1. 5  Steven Byrne  | 2/12/2006 8:36:51 AM

    Just to confirm 655 and 701 have the patches already, so if you are on those versions there is nothing additional that needs to be done at this time?

  1. 6  Chris Bordeleau http://chris.bordeleau.net | 2/12/2006 8:58:31 AM

    @4 Ed - thanks and I can understand where you are comming from... no one likes to eat crow... And in making this post I think you are owning up to this. Very respectable...

    Lets hope we can go another 16 years without another Security related client patch... :)

  1. 7  Oliver Regelmann http://www.n-komm.de/blog | 2/12/2006 8:38:55 PM

    Hmm, no security patches in 16 years? May I ask why these two don't count?

    { Link }

    { Link }

  1. 8  Ed Brill www.edbrill.com | 2/13/2006 1:07:21 AM

    They count, too, Oliver. I would probably defensively say the java applet one is a little different, but the first one clearly is what it is.

    I've already edited the slides I carry locally to take that bullet out, and will re-generate the PDF shortly. Perhaps I can figure out how to make the MS graphics I "borrowed" lesss resource-heavy in the process.

  1. 9  Oliver Regelmann http://www.n-komm.de/blog | 2/13/2006 5:25:09 PM

    OK, thanks. Two (or now three) in sixteen years is still not too bad ;-)

  1. 10  Bob Congdon http://www.bobcongdon.com/blog | 11/28/2007 4:21:29 PM

    And now you can now add this one: { Link } to the list as well.

    Those KeyView viewers are crap.