Software Engineering Institute

A malicious Java applet run in the Lotus Notes web browser can determine if a local file exists. Notes' preferences must be set to browse the web using the Notes browser, with execution of Java applets enabled.

When a Java applet tries to access local files, Lotus Notes presents a dialog box to the user asking whether access should be allowed. It only presents this dialog after checking if the local file exists; if it does not exist, the dialog is not shown. Thus, if the applet can determine whether the dialog was shown, it will know whether the file exists.

If the dialog is shown, it will take some time for the user to notice it and click a button to dismiss it. The applet can detect whether the dialog was shown by checking the times before and after trying to access the local file. If the dialog was not shown, the time difference will be very small, while if the dialog was shown, the time difference will be substantially longer. Based on the time difference, the applet can determine if the dialog was shown and therefore whether the local file exists.

By checking for the existence of certain files, an attacker can learn what software is installed and what programs have been executed recently on the client machine. However, the attacker cannot read or modify any files through this vulnerability.

Lotus plans to fix this issue in a future release of Notes.

Disable execution of Java applets in Notes preferences. For more details, see http://www-1.ibm.com/support/docview.wss?uid=swg21102440.