back to article If you haven't already killed Lotus Notes, IBM just gave you the perfect reason to do it now, fast

IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code. In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp …

  1. FozzyBear
    Alien

    IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.

    I thought notes WAS the malicious code.

    1. Anonymous Coward
      Anonymous Coward

      IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.

      I thought notes WAS the malicious code.

      They're just afraid Blotes might run *better* afterwards...

    2. ecofeco Silver badge

      Old joke is still best joke.

      Have an upvote Fozzy!

    3. Updraft102

      Wakka wakka!

    4. Anonymous Coward
      Anonymous Coward

      I find it amazing that there are companies that can run their business on shite like Lotus Notes, and seem to just bounce from disaster to disaster, Notes, CMSynergy, Sharepoint, TFS etc etc....

      Do people not even bother with product evaluations, and just assume because its IBM or Microsoft, its going to be great. The era of nobody getting fired for buying Microsoft or IBM is long gone, you ARE accountable now...

    5. Dominic Shields

      There are two kinds of people, those who understand what Notes is and what it can do (very rare) and then there are people who don't but slag it off anyhow.

  2. seven of five

    CVE-2018-1383

    affected fileset is bos.cluster.rte, so this should be within the CAA subsystem. Probably something with guessing cluster and node id and then impersonating another node. The kind of "exploit" which only works if you already have extensive knowledge, priviledge and time within the network on your hand.

    1. Tom Chiverton 1

      Re: CVE-2018-1383

      " extensive knowledge, priviledge and time "

      Like governments

    2. Anonymous Coward
      Anonymous Coward

      Re: CVE-2018-1383 @Seven

      Methinks you've seen some of the internal documentation! Some scuttlebutt appear to suggest that this is indeed the problem.

      AIX will only have this fileset if it's in some form of cluster, so non-clustered AIX systems will not suffer from this vulnerability.

      1. seven of five

        Re: CVE-2018-1383 @Seven

        Unfortunately I have not seen internal documentation, otherwise I wouldn´t be working here[tm]. I do have quite some experience with IBM though.

        CAA is always with AIX, though hacmp these days uses it for topology services. If it would affect only hacmp I would have been unable to pin it down to caa, hacmp pobably has enough holes on its own.

        1. Peter Gathercole Silver badge

          Re: CVE-2018-1383 @Seven

          I took the efix apart yesterday (publicly available to anybody and can be examined using anything that understands tar), the description is "ABSTRACT=CAA clcomd fix", and the only thing that is shipped with it is a replacement for /usr/sbin/clcomd.

          Whilst it is true that this fileset is shipped as part of AIX (although only usable on Standard and Enterprise edition, not Express), it is only needed on systems that are clustered in some way. I know it is needed by System Mirror PowerHA (HACMP), but I suspect that it may also be used by some of the other cluster services like Spectrum Scale Storage (GPFS) and maybe other things that uses RMC/RSCT, although it is not used for communication with the HMC.

          The published APARs contain virtually no information about the nature of the vulnerability, so it would require internal knowledge to definitively know what the problem is.

          Maybe the AC who replied to you actually has seen something to confirm your guess.

          I am currently involved in running a mixed estate of clustered and non-clustered (PowerHA) AIX systems, and clcomd is generally not running on the non-clustered systems.

    3. nijam Silver badge

      Re: CVE-2018-1383

      > The kind of "exploit" which only works if you already have extensive knowledge, priviledge and time within the network on your hand.

      Or if you pick up a script that can work out all that stuff for you, I expect.

  3. Philip Storry

    I wonder how many customers are even using this feature.

    I seem to recall that it arrived in Notes 6.x, but required admin rights on the machine or Windows local admin credentials stored in the Notes infrastructure. It was a nice idea, but implementing it tended to make security teams antsy. Later versions (7+) improved it, but frankly not quite enough.

    As such, whilst it wasn't a bad feature, most companies went with a third party packaging/deployment tool that could also handle all their other software. Investing the time and effort into Smart Upgrade just to get Notes upgraded wasn't worth the hassle if you could instead get something else to do the job for all your software.

    If this feature had shipped five or ten years earlier, it would have gotten widespread adoption. But I always felt it was just a little too late. I'm sure some customers are using it, but I'd bet that the vast majority aren't.

    Disclaimer: I'm no longer working with Notes. Nor, for that matter, with Exchange. The cloud has pretty much killed the messaging employment market. (There's a lot of migration jobs, but that's not exactly a career...)

    1. Anonymous Coward
      Anonymous Coward

      Using %windir%\temp is very bad programming practice which shows the age of Notes - and which was never fixed, it looks. Nowadays everything under the Windows directory should be regarded as OS private, and, unless you're writing OS extensions, you should never mess with its contents, nor require the privileges to be able to write within. If you can mess there, usually you can mess the whole system.

      Moreover, anything you download and run should be signed with a certificate you trust, and still run with the minimum privilege required.

      1. Nick Ryan Silver badge

        ...about as bad as writing anything into the "program files" directory when the writer is not an installation or update process.

        Oh wait, lots of extremely poorly written applications still seem to think that this tree is a good location for data or log files.

    2. GruntyMcPugh Silver badge

      Not even IBM,...

      ... IBM used to use an in house (or rebadged) tool called ISSI (IBM Standard Software Installer) to upgrade applications. So the largest user base out there didn't use this feature.

    3. ecofeco Silver badge

      How many? You would be surprised. I know I was. There are still many companies using this world wide. Rather large companies at that.

      Sorry, can't name names on this one. Confidentiality and all that.

      1. Mark 110

        Coop Bank, Sopra Steria, IBM . . .

      2. nijam Silver badge

        > Sorry, can't name names on this one. Confidentiality and all that.

        Embarrassment rather than confidentiality, I suspect.

  4. Anonymous Coward
    Anonymous Coward

    I was a Notes admin at IBM for a decade and never saw a customer use the auto update service.

  5. Anonymous Coward
    Anonymous Coward

    Notes is still a thing???!!

    You mean people are still using it??!! :-O

    1. Hans 1
      Windows

      Re: Notes is still a thing???!!

      You mean people are still using it??!! :-O

      Well, people are also still using Outlook, I know, crazy!

      1. Anonymous Coward
        Anonymous Coward

        "Well, people are also still using Outlook, I know, crazy!"

        Yes, it's incredible the "big open source community" could never deliver anything better than Outlook, and even Thunderbird is suffering lack of support.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Well, people are also still using Outlook, I know, crazy!"

          >>even Thunderbird is suffering lack of support.

          I worked on and used Thunderbird for a long time but gave up a few years ago when it became very clear that Mozilla didn't really give a damn about it. It had potential but it was never anywhere near Outlook in terms of functionality or ease of use, tbh it was like Windows 2000 era Outlook Express (and about as nice to look at) but slightly less dangerous to use.

          But hell, back when I was working on it and using it, the damned thing didn't even have a built in calendar. You had to install an extension. And Sunbird, the "official" Calendar extension kind of sucked.

          On the plus side, the Enigmail extension was pretty easy to use for encrypted email, provided you knew how to use GnuPG, so it wasn't all bad, just disappointing.

          1. Antron Argaiv Silver badge
            Thumb Up

            Re: "Well, people are also still using Outlook, I know, crazy!"

            I use it at home to monitor my three webmail accounts. It works OK...for what I do with it.

            Sure wish there was some real competition for Outlook from the open source community.

            I think part of the problem might be that it's such a moving target, what with features and protocols seemingly changing drastically with every release.

            // wouldn't mind a (file-compatible) replacement for Project and Visio, while I'm wishing...

            1. ibmalone

              Re: "Well, people are also still using Outlook, I know, crazy!"

              I don't think Thunderbird ever aimed at being a replacement for Outlook, though having a calendar is handy (and lightning is integrated now), it's a mail client and still does that well. Evolution was meant to be an Outlook-equivalent, but I haven't used it for anything other than the address book in years.

            2. Anonymous Coward
              Anonymous Coward

              Re: "Well, people are also still using Outlook, I know, crazy!"

              gliffy.com may work for you as regrads replacing Visio....

        2. Roland6 Silver badge

          Re: "Well, people are also still using Outlook, I know, crazy!"

          >Yes, it's incredible the "big open source community" could never deliver anything better than Outlook

          There is Zimbra...

          1. Anonymous Coward
            Anonymous Coward

            Re: "Well, people are also still using Outlook, I know, crazy!"

            Has Zimbra a desktop client? Web client solutions are useless to Outlook users.

            We're talking about Outlook, not Exchange, even if of course Outlooks is designed to work with Exchange, but a lot of people choose Exchange exactly because it has a desktop client like Outlook, not viceversa.

            1. Roland6 Silver badge
              Pint

              Re: "Well, people are also still using Outlook, I know, crazy!"

              >Has Zimbra a desktop client?

              https://www.zimbra.com/zimbra-desktop/ :)

              BTW I'm not suggesting Zimbra is a wonderful all singing-and-dancing replacement for Outlook, just answering the original question...

              1. IGnatius T Foobar

                Re: "Well, people are also still using Outlook, I know, crazy!"

                Zimbra has become a bloated mess, and an albatross around whichever company happens to own it at any given time. Citadel is a true open source alternative and people love it.

              2. Anonymous Coward
                Anonymous Coward

                Re: "Well, people are also still using Outlook, I know, crazy!"

                A Java client? OMG!

                Java, one of the few things that are as bad as Notes to have installed. Only Flash is worse.

            2. This post has been deleted by its author

        3. Tom 38

          Re: "Well, people are also still using Outlook, I know, crazy!"

          could never deliver anything better than Outlook

          Because Outlook is not something to be admired, it's a mahoosive vendor lock in masquerading as a feature full email client. FOSS follows KISS, Outlook does not.

          1. Gordon 10

            Re: "Well, people are also still using Outlook, I know, crazy!"

            That's harsh imo. It's still in use because it's easier to give everyone it rather than split the user base into ordinary and power users (generally sales or customer facing).

            And it has *no* real competitors.

          2. Anonymous Coward
            Anonymous Coward

            KISS...

            Yes, but in this case it means Keeping It Subpar, Sorry.

            It is true that Outlook is also a big lock-in into Exchange, but if FOSS ever delivered something comparable, many would have had switched happily. There's a limit to simplicity, past which it just means lack of power and features.

            Outlook offers a very well designed and powerful GUI to let the user manage groupware items quickly and comfortably.

            Unluckily FOSS is often not able to deliver great GUI applications. One reason is probably the fragmentation of desktops manager, widgets and graphic libraries. Another is the lack of good GUI development tools and libraries, which are not easy to code. Up to the point that most GUI applications are written in Java, with all the disadvantages of a memory hungry VM and slow UI.

            That's also a big roadblock to broaden Linux desktop usage, not everybody likes a command line or a browser.

            1. Solmyr ibn Wali Barad

              Re: KISS...

              "Outlook offers a very well designed and powerful GUI"

              Used to. That was the greatest advantage MS had, and of course they had to fix it.

        4. JimmyPage Silver badge
          Windows

          Thunderbird != Outlook

          not even close.

          The one thing about Outlook - for better, for worse, is it integrates calendar and email as seamlessly as a clueless user needs.

          One thing about being out of the corporate fold, and using Linux for *everything* is you realise how good MS were where it counts.

          That said, I never understood why even Outlook couldn't match calendar entries and OOO so that if you accepted a meeting as OOO, your Outlook wouldn't automatically switch OOO on ???????

          1. Paul Crawford Silver badge

            Re: Thunderbird != Outlook

            Serious question here: Why is having a calendar in your email client a good thing?

            Every time Outlook is discussed this comes up as its main advantage - and I just don't get it. Sure I see that having some good calendar functionality is useful, but its not something I ever see as related to email (reminders being sent to your inbox being the obvious exception).

            1. Anonymous Coward
              Anonymous Coward

              Re: Thunderbird != Outlook

              It's not just the calendar itself. It's the groupware functionalities. You can check people, rooms, etc. availability while setting up a meeting, find the slot you need, have mail sent automatically, add documents to the meeting, and be notified about who accept and who don't. When you accept your calendar is automatically update, and you can add notes or items to the response. You can also move the meeting and updates to everybody happens automatically. You can also open other people mailboxes or calendars and operate on them , if you have the permissions. Very useful for assistants, and they do that with their login and with given permissions, no need to share passwords and give full unfettered access , and everything is logged. You can also have shares ones.

              All features that are overkill for single users or small groups, but are very useful for medium and large organizations.

              Outlook is not a mail client with added features, is a groupware client which includes email.

              Notes paved the way, but it kept an ugly UI and made many features less usable. Outlook introduced many new UI elements, .i.e. the grouping tables, the Outlook bar, which made its use far more practical and productive

              1. Paul Crawford Silver badge

                Re: Thunderbird != Outlook

                Thanks for that insight, but all of that is really a feature of exchange I guess, and not of the "email client" as such.

            2. Roland6 Silver badge

              Re: Thunderbird != Outlook

              >Serious question here: Why is having a calendar in your email client a good thing?

              You're approaching this from the wrong direction the question is why is having Email in your PIM/groupware client a good thing?

              Remember MS were (as usual) coming from behind: they didn't have a PIM - a market being lost to Lotus Organiser (and others), they didn't have an email client that could stand against Lotus cc:Mail (and others), plus they didn't have a groupware/collaboration platform, unlike Lotus with Notes. In this context Outlook/Exchange had to cover a lot of bases in quick order, fortunately for MS, Lotus had shown the way, MS were able to avoid the worst pitfalls and use hype to unseat Lotus...

              So returning to your question, the answer is because you only need to purchase a single client licence...

          2. nijam Silver badge

            Re: Thunderbird != Outlook

            > ... a clueless user ...

            And there you have it.

            In this case, "clueless" meaning "can't tell the difference between a message and an event" (i.e. email and calendar).

        5. Anonymous Coward
          Anonymous Coward

          Re: "Well, people are also still using Outlook, I know, crazy!"

          I would prefer GSuite any day of the week over Notes or Outlook, its also vastly more secure and much cheaper too. You would have to be insane to not try it out. Things that used to be hassle are now totally seamless.

          The era of installing applications is dead.

        6. nijam Silver badge

          Re: "Well, people are also still using Outlook, I know, crazy!"

          > ... anything better than Outlook...

          Outlook is a monolithic chunk of stuff that doesn't all belong in one application, unless the intent is to brick users up into a lucrative silo.

      2. Ken 16 Silver badge

        Re: Notes is still a thing???!!

        You compare the cost of migrating off it to the cost of leaving it alone

        1. Anonymous Coward
          Anonymous Coward

          Re: Notes is still a thing???!!

          Notes is still a thing for IBMers, those that haven't been "voluntary redundancy"d

    2. Korev Silver badge
      Coat

      Re: Notes is still a thing???!!

      "You mean people are still using it"

      Odd, they're all going down like Dominos

  6. Anonymous South African Coward Bronze badge

    Bloated goats still alive?

  7. Wolfclaw

    Power8/9 get fixes, older chips out of service, yet I bet big blue are still milking service contracts for some users and leaving them vulnerable and typical of tech companies, abandoning their hardware to promote inbuilt obsolescence !

  8. adam payne

    Author Lasse Trolle Borup explains “the service simply copies itself to the TEMP directory and executes the copy, probably for when the update service must update its own executable. The problem here is, that though normal users are not allowed to list the contents of TEMP, they can still write files there.

    How many other applications update in the same way? thousands or millions?

  9. Anonymous Coward
    Anonymous Coward

    10

    It has now issued firmware patches for its POWER7 through to POWER9 platforms here (older chips are out-of-service), IBM i operating system patches are here, and AIX patches here.

    Wow, all 10 AIX users can get patches...

    1. Ken 16 Silver badge

      How old are you?

      Well, of course, we had it tough. We used to 'ave to get up out of shoebox at twelve o'clock at night and lick road clean wit' tongue. We had two bits of cold gravel, worked twenty-four hours a day at mill for sixpence every four years, and when we got home our Dad would slice us in two wit' bread knife

      1. Aladdin Sane

        Re: How old are you?

        And that's if we were lucky!

  10. Lotaresco
    Trollface

    Oh come on! This is fake news folks!

    "Lasse Trolle Borup"

    And his friend Valter Unterbrücke, no doubt.

  11. Anonymous Coward
    Linux

    Year 2000 is calling and wants its DLL hijacking exploit back

    can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory.”

    Sep 2000: "Microsoft Windows DLL search path weakness"

  12. sisk

    Lotus Notes is still around and getting updates? Huh....I thought it fell by the wayside years ago.

  13. sagan25

    Gents...slow down

    Sorry, if every serious Office bug over the last years had resulted in a recommendation to uninstall this buggy Microsoft stuff...Notes bashing is so boring.

  14. unwarranted triumphalism

    Still Apple's fault.

  15. Anonymous Coward
  16. Anonymous Coward
    Anonymous Coward

    I miss Notes.

    It was great !

    My coat is the one with straps to stop me doing harm to myself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like