IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.
I thought notes WAS the malicious code.
IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code. In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp …
I find it amazing that there are companies that can run their business on shite like Lotus Notes, and seem to just bounce from disaster to disaster, Notes, CMSynergy, Sharepoint, TFS etc etc....
Do people not even bother with product evaluations, and just assume because its IBM or Microsoft, its going to be great. The era of nobody getting fired for buying Microsoft or IBM is long gone, you ARE accountable now...
affected fileset is bos.cluster.rte, so this should be within the CAA subsystem. Probably something with guessing cluster and node id and then impersonating another node. The kind of "exploit" which only works if you already have extensive knowledge, priviledge and time within the network on your hand.
Unfortunately I have not seen internal documentation, otherwise I wouldn´t be working here[tm]. I do have quite some experience with IBM though.
CAA is always with AIX, though hacmp these days uses it for topology services. If it would affect only hacmp I would have been unable to pin it down to caa, hacmp pobably has enough holes on its own.
I took the efix apart yesterday (publicly available to anybody and can be examined using anything that understands tar), the description is "ABSTRACT=CAA clcomd fix", and the only thing that is shipped with it is a replacement for /usr/sbin/clcomd.
Whilst it is true that this fileset is shipped as part of AIX (although only usable on Standard and Enterprise edition, not Express), it is only needed on systems that are clustered in some way. I know it is needed by System Mirror PowerHA (HACMP), but I suspect that it may also be used by some of the other cluster services like Spectrum Scale Storage (GPFS) and maybe other things that uses RMC/RSCT, although it is not used for communication with the HMC.
The published APARs contain virtually no information about the nature of the vulnerability, so it would require internal knowledge to definitively know what the problem is.
Maybe the AC who replied to you actually has seen something to confirm your guess.
I am currently involved in running a mixed estate of clustered and non-clustered (PowerHA) AIX systems, and clcomd is generally not running on the non-clustered systems.
I wonder how many customers are even using this feature.
I seem to recall that it arrived in Notes 6.x, but required admin rights on the machine or Windows local admin credentials stored in the Notes infrastructure. It was a nice idea, but implementing it tended to make security teams antsy. Later versions (7+) improved it, but frankly not quite enough.
As such, whilst it wasn't a bad feature, most companies went with a third party packaging/deployment tool that could also handle all their other software. Investing the time and effort into Smart Upgrade just to get Notes upgraded wasn't worth the hassle if you could instead get something else to do the job for all your software.
If this feature had shipped five or ten years earlier, it would have gotten widespread adoption. But I always felt it was just a little too late. I'm sure some customers are using it, but I'd bet that the vast majority aren't.
Disclaimer: I'm no longer working with Notes. Nor, for that matter, with Exchange. The cloud has pretty much killed the messaging employment market. (There's a lot of migration jobs, but that's not exactly a career...)
Using %windir%\temp is very bad programming practice which shows the age of Notes - and which was never fixed, it looks. Nowadays everything under the Windows directory should be regarded as OS private, and, unless you're writing OS extensions, you should never mess with its contents, nor require the privileges to be able to write within. If you can mess there, usually you can mess the whole system.
Moreover, anything you download and run should be signed with a certificate you trust, and still run with the minimum privilege required.
>>even Thunderbird is suffering lack of support.
I worked on and used Thunderbird for a long time but gave up a few years ago when it became very clear that Mozilla didn't really give a damn about it. It had potential but it was never anywhere near Outlook in terms of functionality or ease of use, tbh it was like Windows 2000 era Outlook Express (and about as nice to look at) but slightly less dangerous to use.
But hell, back when I was working on it and using it, the damned thing didn't even have a built in calendar. You had to install an extension. And Sunbird, the "official" Calendar extension kind of sucked.
On the plus side, the Enigmail extension was pretty easy to use for encrypted email, provided you knew how to use GnuPG, so it wasn't all bad, just disappointing.
I use it at home to monitor my three webmail accounts. It works OK...for what I do with it.
Sure wish there was some real competition for Outlook from the open source community.
I think part of the problem might be that it's such a moving target, what with features and protocols seemingly changing drastically with every release.
// wouldn't mind a (file-compatible) replacement for Project and Visio, while I'm wishing...
I don't think Thunderbird ever aimed at being a replacement for Outlook, though having a calendar is handy (and lightning is integrated now), it's a mail client and still does that well. Evolution was meant to be an Outlook-equivalent, but I haven't used it for anything other than the address book in years.
Has Zimbra a desktop client? Web client solutions are useless to Outlook users.
We're talking about Outlook, not Exchange, even if of course Outlooks is designed to work with Exchange, but a lot of people choose Exchange exactly because it has a desktop client like Outlook, not viceversa.
This post has been deleted by its author
Yes, but in this case it means Keeping It Subpar, Sorry.
It is true that Outlook is also a big lock-in into Exchange, but if FOSS ever delivered something comparable, many would have had switched happily. There's a limit to simplicity, past which it just means lack of power and features.
Outlook offers a very well designed and powerful GUI to let the user manage groupware items quickly and comfortably.
Unluckily FOSS is often not able to deliver great GUI applications. One reason is probably the fragmentation of desktops manager, widgets and graphic libraries. Another is the lack of good GUI development tools and libraries, which are not easy to code. Up to the point that most GUI applications are written in Java, with all the disadvantages of a memory hungry VM and slow UI.
That's also a big roadblock to broaden Linux desktop usage, not everybody likes a command line or a browser.
not even close.
The one thing about Outlook - for better, for worse, is it integrates calendar and email as seamlessly as a clueless user needs.
One thing about being out of the corporate fold, and using Linux for *everything* is you realise how good MS were where it counts.
That said, I never understood why even Outlook couldn't match calendar entries and OOO so that if you accepted a meeting as OOO, your Outlook wouldn't automatically switch OOO on ???????
Serious question here: Why is having a calendar in your email client a good thing?
Every time Outlook is discussed this comes up as its main advantage - and I just don't get it. Sure I see that having some good calendar functionality is useful, but its not something I ever see as related to email (reminders being sent to your inbox being the obvious exception).
It's not just the calendar itself. It's the groupware functionalities. You can check people, rooms, etc. availability while setting up a meeting, find the slot you need, have mail sent automatically, add documents to the meeting, and be notified about who accept and who don't. When you accept your calendar is automatically update, and you can add notes or items to the response. You can also move the meeting and updates to everybody happens automatically. You can also open other people mailboxes or calendars and operate on them , if you have the permissions. Very useful for assistants, and they do that with their login and with given permissions, no need to share passwords and give full unfettered access , and everything is logged. You can also have shares ones.
All features that are overkill for single users or small groups, but are very useful for medium and large organizations.
Outlook is not a mail client with added features, is a groupware client which includes email.
Notes paved the way, but it kept an ugly UI and made many features less usable. Outlook introduced many new UI elements, .i.e. the grouping tables, the Outlook bar, which made its use far more practical and productive
>Serious question here: Why is having a calendar in your email client a good thing?
You're approaching this from the wrong direction the question is why is having Email in your PIM/groupware client a good thing?
Remember MS were (as usual) coming from behind: they didn't have a PIM - a market being lost to Lotus Organiser (and others), they didn't have an email client that could stand against Lotus cc:Mail (and others), plus they didn't have a groupware/collaboration platform, unlike Lotus with Notes. In this context Outlook/Exchange had to cover a lot of bases in quick order, fortunately for MS, Lotus had shown the way, MS were able to avoid the worst pitfalls and use hype to unseat Lotus...
So returning to your question, the answer is because you only need to purchase a single client licence...
I would prefer GSuite any day of the week over Notes or Outlook, its also vastly more secure and much cheaper too. You would have to be insane to not try it out. Things that used to be hassle are now totally seamless.
The era of installing applications is dead.
Author Lasse Trolle Borup explains “the service simply copies itself to the TEMP directory and executes the copy, probably for when the update service must update its own executable. The problem here is, that though normal users are not allowed to list the contents of TEMP, they can still write files there.
How many other applications update in the same way? thousands or millions?
Well, of course, we had it tough. We used to 'ave to get up out of shoebox at twelve o'clock at night and lick road clean wit' tongue. We had two bits of cold gravel, worked twenty-four hours a day at mill for sixpence every four years, and when we got home our Dad would slice us in two wit' bread knife
Skype's home-grown updater allows escalation of privilege to SYSTEM