TUCoPS :: IBM(multi) :: notes14.htm

Lotus Notes will not warn you of messages with broken signatures 
Vulnerability

    Lotus Notes

Affected

    Lotus Notes all R5 client versions up to the latest R5.0.5

Description

    Vinci Chou found following.  If you receive a clear signed  S/MIME
    e-mail with a broken signature, e.g. the mail body is modified  by
    a third party  during transmission,   Lotus Notes client  does not
    warn you that the signature is broken.  The mail is displayed just
    like any  unsigned e-mail.   If you  receive an  encrypted  S/MIME
    e-mail  that  is  corrupted,  Lotus  Notes  client display a blank
    message.   Other  Internet  mail  clients  would  display  warning
    messages in both cases.

    Not sure if this  should be classified as  security vulnerability.
    The warning is  an indication that  someone may be  tampering with
    the  messages.   The  lack  of  warning  is  also  very misleading
    especially in places where digital signature is recognised by law.

    R5 has  been on  the market  for about  two years  and it  is real
    disappointed that these  obvious problems are  still there in  the
    latest R5.0.

Solution

    Patch not available so far.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH