Security researchers have discovered a rare, and potentially serious, security bug in Lotus Notes. A buffer overflow flaw in IBM's groupware package enables hackers to trick users into running hostile code on vulnerable systems.
The security bug stems from boundary errors within the Lotus 1-2-3 file viewer (l123sr.dll) component. Successful exploitation of the bug involves tricking users into viewing maliciously crafted Lotus 1-2-3 attachments, designed to allow the execution of arbitrary code on vulnerable systems.
The flaws, discovered by security researchers with Core Security, affect versions 7.x and 8.x of Lotus Notes. Other versions may also be affected.
Sys admins are advised to contact IBM support for patches, as explained here. ®