The culprit behind the vulnerability is Java again – automatic execution of JavaScript code to be more specific. As seen in the case of web pages over the last few months automatic JavaScript execution leads to compromise of systems, users who have email clients installed on systems that allow for automatic execution too are vulnerable. This is the reason almost all email clients out there have turned off JavaScript and Java when displaying an HTML email – except for IBM’s Notes.

IBM heeded to the security lapse, as reported by a third-party security expert, and has started working towards security its email and workgroup solution. IBM Notes use a Java environment – Java 6 SR 12, which is known to be full of security holes and allowing the software to automatically load and execute JavaScript code as well as Java applets from external servers is a definitely a huge security risk.

In a bid to address this vulnerability IBM has made available ‘Interim fixes’ that disables these functions. Users, who know their way around the file system, can also go about manually changing Notes settings by setting the following variables in notes.ini file:


IBM has assigned a CVSS base score of 4.3 indicating that the vulnerability is not much of a problem. But, security researcher Alexander Klink of n.runs who discovered the vulnerability has an issue with IBM’s assessment. He is of the opinion that attackers will be able to take complete control of systems by exploiting this vulnerability. “Considering how widely Notes is used by businesses, it’s a very attractive target with a high risk potential.” he said.