Abstract:
In some scenarios, IBM Notes may fail to zero the plaintext password within memory, leaving the plaintext password accessible to an attacker with the ability to access memory on the user’s local workstation.
Affected Plattform: Notes 9.0, 8.5.X
Fix : 9.0 Interim Fix2, 8.5.3 FP4 Interim Fix 2, 8.5.3 FP5
This issue is being tracked as SPR#JMOY95H59S and SPR# NPEI95BQLK. The fix is included in Interim Fix 2 for Notes 9.0 (technote 1640580) and Interim Fix 2 for Notes 8.5.3 Fix Pack 4 (technote 1639571). The fix will also be included in Notes 8.5.3 Fix Pack 5 (refer to the Notes/Domino Fix List to monitor Fix Pack availability status).
Technote#1636154
[alert]Security Bulletin: IBM Notes Multi User Profile Cleanup service enables an attacker to execute arbitrary code on the next logon of a user (CVE-2013-0536)[/alert]Abstract:
An attacker on a multi-user system, is able to target other users by executing code with the rights of the user.
Affected Plattform: Notes 9.0, 8.0.X, 8.5.X
Fix : Notes 9.0 Interim Fix2, 8.5.3 FP4 Interim Fix 2, 8.5.3 FP5Notes 9.0 Interim Fix 2
This issue is being tracked as SPR# PJOK959J24. The fix is included in Interim Fix 2 for Notes 9.0 (technote 1640580) and Interim Fix 2 for Notes 8.5.3 Fix Pack 4 (technote 1639571). The fix will also be included in Notes 8.5.3 Fix Pack 5 (refer to the Notes/Domino Fix List to monitor Fix Pack availability status).
Workaround:
Disable the ntmulti.exe service on the client workstation. Disabling this service will adversely affect only roaming users who are set up for roaming user clean-up. The roaming user clean-up may not be complete after disabling the service.
Technote#1633827