Es gibt eine weitere, frisch gemeldete
Sicherheitslücke, diesmal jedoch in IBM Lotus Sametime. Betroffen sind
die Versionen 3.1., 6.5.1 und 7.0, nicht aber 7.5:
Das betroffene JNILoader ActiveX-Control
wird in Sametime 7.5 nicht mehr verwendet, so dass diese Version nicht
davon betroffen ist. Für Sametime 7.0 gibt es einen Hotfix.
Aber der einfachste Weg, den Fehler
zum umgehen, ist keinen Internet Explorer zu verwenden
Mehr Details:
IBM Lotus Sametime JNILoader Vulnerability
iDefense contacted IBM® Lotus® to report
a potential vulnerability with the JNILoader ActiveX control used by the
IBM Lotus Sametime® Web Conferencing server.
The iDefense advisory can be accessed
from the following link: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=495
The JNILoader ActiveX control was introduced
in early versions of the Sametime web conferencing server in order to prevent
crashes caused by the length of time it took to uninitialize the Sametime
audio/video DLLs when closing the browser. The JNILoader control was scriptable
to allow for DLL version changes between Sametime server releases. The
primary function of this ActiveX control was to load/unload native Sametime
DLLs, however, the control can be re-used on non-Sametime pages such that
the scriptable "loadLibrary()" function has the potential to
be exploited to load malicious code on the local workstation. This functionality
was replaced in Sametime 7.5 with a 100% Java-based, and non-scriptable
solution which could be used with all browsers. In controlled environments,
there is no risk with Sametime servers. The risk is when the Sametime related
ActiveX control is used on non-Sametime web pages.