TUCoPS :: Windows Apps :: ciace011.txt

Windows Lotus cc:Mail Security upgrade 

             _____________________________________________________
                         The U.S. Department of Energy
                     Computer Incident Advisory Capability
                             ___  __ __    _     ___
                            /       |     / \   /
                            \___  __|__  /___\  \___
             _____________________________________________________

			   Information Bulletin

	         Lotus cc:Mail Security Upgrade Available

March 7, 1994 900 PST                                              Number E-11
______________________________________________________________________________
PROBLEM:  Passwords are vulnerable on local hard drives 
PLATFORM: Lotus cc:Mail Windows 2.0 and 2.01 
DAMAGE:   Accounts could be compromised if another person is allowed access
          to a cc:Mail user's personal computer  
SOLUTION: Retrieve and install cc:Mail 2.02 for Windows, then have all
          users change their passwords.
______________________________________________________________________________

         Critical Information about Lotus CCMAIL Security Upgrade

CIAC has received information from Lotus regarding a vulnerability in cc:Mail
for Windows. Under certain circumstances, the user's password can be viewed
on their local hard drive.  This vulnerability exists only in cc:Mail Windows
2.0 and 2.01.

To correct the problem, a software upgrade, cc:Mail for Windows 2.02, has
been made available.  This upgrade is contained in the file WINFIX.ZIP.
WINFIX.ZIP can be downloaded from three sources: anonymous ftp, CompuServe,
or the Lotus cc:Mail BBS.  The file is available via anonymous ftp from
ftp.ccmail.com in the /pub/windows directory.  On the anonymous ftp server,
WINFIX.ZIP is dated Feb 19 00:53 and is 279803 bytes long.

In CompuServe, perform the following commands: 

  a. Enter the Lotus forum by typing GO LOTUSC from any CompuServe prompt.
  b. Enter Section 10 when prompted for which section.
  c. From within Section 10, select "Download" and download the file
     WINFIX.ZIP.

The Lotus cc:Mail BBS is available to everyone via modem.  The telephone
number is (415) 691-0401.  Your modem setting should be: 8 data bits, No
Parity, 1 stop bit.  Once connected, go to the "File Area" by typing "F".
Select the download option and download the file WINFIX.ZIP.  On the BBS,
WINFIX.ZIP is 279803 bytes long and is dated 2/18/94 at 2:02a.

After unzipping WINFIX.ZIP, the following files are available:

ccmail.exe    628656 bytes
readme.now    1062 bytes

Your next step is to install this upgrade.  Change to the directory (which is
likely to be m:\ccmail) that contains the old version of ccmail.exe.  Rename
the old copy of ccmail.exe to ccmail.old, and then copy the new ccmail.exe to
the directory.  If cc:Mail for Windows has been installed on a network, the
system administrator only needs to change the network copy of ccmail.exe.  If
cc:Mail for Windows has been installed locally, ccmail.exe must be installed
in the proper directory of every workstation.

After installation of ccmail.exe, all users should change their password.

______________________________________________________________________________

CIAC would like to thank Lally Thomas and Gary Schuppert of CDSI for bringing
this problem to our attention.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   (510) 422-8193
    FAX:     (510) 423-8002
    STU-III: (510) 423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
______________________________________________________________________________

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH