Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   IBM iNotes and Domino Vendors:   IBM
IBM Lotus Notes Buffer Overflows in File Viewer for WordPerfect Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1021859
SecurityTracker URL:
CVE Reference:   CVE-2008-4564   (Links to External Site)
Date:  Mar 18 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.5, 7.0, 8.0
Description:   A vulnerability was reported in IBM Lotus Notes File Viewer for WordPerfect. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted WordPerfect document that, when viewed by the target user, will trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

An anonymous researcher reported this vulnerability via iDefense.

Impact:   A remote user can create a file that, when viewed by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fix for Notes 7.x and 8.0x client versions. The vendor has described workarounds for prior versions.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  iDefense Security Advisory 03.17.09: Autonomy KeyView Word Perfect

iDefense Security Advisory 03.17.09
Mar 17, 2009


Autonomy KeyView SDK is a commercial SDK that provides many file format
parsing libraries. It supports a large number of different document
formats, one of which is the Word Perfect Document (WPD) format. It is
used by several popular vendors for processing documents. For more
information, visit the URL below.


Remote exploitation of a stack-based buffer overflow in Autonomy Inc's
KeyView SDK allows attackers to execute arbitrary code with the
privileges of the current user.

This vulnerability exists within the "wp6sr.dll" which implements the
processing of Word Perfect Documents. When processing certain records,
data is copied from the file into a fixed-size stack buffer without
ensuring that enough space is available. By overflowing the buffer, an
attacker can overwrite control flow structures stored on the stack.


Exploitation allows attackers to execute arbitrary code with the
privileges of the user. In order to exploit this vulnerability, an
attacker must cause a specially crafted Word Perfect Document to be
processed by an application using the Autonmoy KeyView SDK.

In cases such as Lotus Notes, this requires that an attacker convince a
user to view an e-mail attachment. However, in other cases processing
may take place automatically as a document is examined.


iDefense confirmed that this vulnerability exists within Lotus Notes 8
installed on a Windows XP SP3 machine. All applications which utilize
the Autonomy KeyView SDK to process Word Perfect Documents are
suspected to be vulnerable.


For Lotus Notes, it is possible to disable the processing of WPD files
by removing, or commenting out, the line referencing "wp6sr.dll" from
the "KeyView.ini" file within the Lotus Notes program directory.
Deleting "wp6sr.dll" from the affected system will also prevent

For Symantec Mail Security, disabling "content filtering" will prevent

Additional workarounds are available from the individual vendors'
advisories referenced below.


IBM Support has released workarounds and a patch which addresses this
issue. For more information, consult their advisory at the following

Symantec has released patches which addresses this issue. For more
information, consult their advisory at the following URL:

Autonomy has released a patch which addresses this issue. For more
information, consult their advisory at the following URL:


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4564 to this issue. This is a candidate for inclusion in
the CVE list (, which standardizes names for
security problems.


01/14/2008  to IBM & Symantec - 1st notice
11/24/2008  to Autonomy - 1st notice
12/04/2008  From Autonomy - 1st response
12/04/2008  to Autonomy - 2nd notice
12/05/2008  From Autonomy - PoC Request
12/08/2008  to Autonomy - PoC sent
12/09/2008  From Autonomy - PoC Resend Request
12/09/2008  to Autonomy - PoC Resend sent
12/11/2008  From Autonomy - PoC Clarification Request
12/11/2008  to Autonomy - PoC Clarification reply
01/14/2009  From Autonomy - Reset tentative disclosure / patch date
01/14/2009  From Symantec - 1st response
01/19/2009  From IBM - 1st response & PoC Request
01/21/2009  From Autonomy - New proposed tentative disclosure date - End
of February 2009
01/21/2009  From Symantec - Proposed tentative disclosure date -
February 24, 2009
01/30/2009  Multiple vendor coordination status sent
01/30/2009  to IBM - PoC resent
02/05/2009  From IBM - clarification request
02/12/2009  From IBM - clarification request
02/13/2009  to IBM - clarification response
02/18/2009  From IBM - requests PoC clarification
02/19/2009  to IBM - PoC clarification sent
02/23/2009  From Symantec - cross-vendor status request
02/23/2009  to Symantec - cross-vendor status sent
02/27/2009  From IBM - progress report received
02/27/2009  From Symantec - cross-vendor status request
03/02/2009  From IBM - vulnerability confirmed, patch ready
03/10/2009  All vendors agree on March 17, 2009
03/10/2009  From IBM - Proposed tentative date be a Tuesday or Wednesday
03/10/2009  From Symantec - cross-vendor status request
03/10/2009  From Symantec - cross-vendor status request
03/10/2009  Multiple vendor coordination status sent - proposed March
17, 2009 release
03/10/2009  To Symantec - status report sent
03/17/2009  Coordinated Public Disclosure


The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research

Free tools, research and upcoming events


Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
To unsubscribe, go here:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC