- Jul 22, 2014
- 2,525
Also: Big Blue's Meltdown, Spectre status updated, and a mystery bug in AIX
IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.
In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory.”
Compromising an auto-updater is serious business: users trust them to bring in safe code, in this case new versions of Notes. Flaws in such a service are therefore extraordinarily dangerous.
The bug, CVE-2017-1711, affects versions in the Notes 8.5 and 9.0 branches.
...
...
Spectre and Meltdown POWERed down, and an AIX fix
Big Blue had a busy week last week, and on Saturday also updated security folk about its Meltdown/Spectre status here.
...
IBM has warned that bugs in its Notes auto-updater mean the service can be tricked into running malicious code.
In its advisory, IBM says the Notes Smart Updater service, which sees upgrades of Notes sent to users' desktops, “can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory.”
Compromising an auto-updater is serious business: users trust them to bring in safe code, in this case new versions of Notes. Flaws in such a service are therefore extraordinarily dangerous.
The bug, CVE-2017-1711, affects versions in the Notes 8.5 and 9.0 branches.
...
...
Spectre and Meltdown POWERed down, and an AIX fix
Big Blue had a busy week last week, and on Saturday also updated security folk about its Meltdown/Spectre status here.
...
