Some of the six holes can allow attackers to hijack corporate systems even if users only view incoming e-mail.
Six critical vulnerabilities have been found in IBM's Lotus Notes, Big Blue and security firms announced Friday, including some that could allow attackers to hijack corporate systems if users simply viewed incoming e-mail.
Danish vulnerability tracker Secunia, which discovered the half-dozen bugs, tagged them as "Highly critical," its second-from-the-top alert rating, and said that some of the flaws would create buffer overflows, normally the only entry hackers need to start dropping their own code onto a compromised computer.
Some of the vulnerabilities, said Secunia, can be exploited if users only view malicious e-mails, while others require users to open attachments or extract files from a zipped file attached to a message. Several versions of Notes are at risk, including 7.0 and 6.5.4. Upgrading Notes to 6.5.5 or 7.0.1 solves the problem, said IBM.
"In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments," IBM also recommended in its advisory. IBM offered up work-arounds for customers unable to patch immediately, but they required users or administrators to disable a number of DLLs.
The last bugs to hit Notes were a handful in early January, when IBM itself acknowledged that the e-mail system and its client were open to denial-of-service (DoS) attacks.