An article appeared this morning in Heise (auf Deutsch) (in English) abou a password exposure in Lotus Notes.   IBM has published a technote (1266085) today, addressing the possibility described in the article.  As you'll see in the technote, this issue is classified as low risk, as it requires access to the desktop operating system to be installed and an access to an output file.  The technote indicates:

IBM Lotus inadvertently disclosed this debug variable for a short period of time and subsequently removed all instances from its public Web sites. Lotus Notes versions 8.0, 7.0.3 and all future versions will contain a fix that will remove the use of this undocumented debug variable.

 I've read some of the discussions about this topic.  Even though the first public report of this issue was in German, a week ago, it took an English-language posting to stir up the community.  Some of the initial reactions called the exposure "horrible", while others recognized that physical access allows for a lot of other potential hacks (e.g. keystroke loggers).  Either way, I found myself caught up in the emotion yesterday, and probably should have signed off IM (internal and external) at some point.

The best and proper way to report a security issue to IBM Lotus is to contact security@notesdev.ibm.com.  It may not get as much initial visibility, but it will result in action, one without the perceived external pressure of a public posting.  That is what the spirit of the tight-knit Lotus community is about.

Post a Comment