Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability

Bugtraq ID:	12913
Class:	Design Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 28 2005 12:00AM
Updated:	Mar 28 2005 12:00AM
Credit:	Discovery of this vulnerability is credited to Juha-Matti Laurio.
Vulnerable:	Microsoft Outlook 2002 Connector for IBM Lotus Domino 1.0
Not Vulnerable:

Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability

Microsoft Outlook 2002 Connector for IBM Lotus Domino is reported prone to a policy bypass vulnerability. It is reported that the Microsoft Outlook 2002 Connector for IBM Lotus Domino saves login credentials locally even when a Group policy is in place that is supposed to prevent this.

This may result in a false sense of security. An attacker with knowledge of a valid username may employ the cached passwords to authenticate successfully to the connected IBM Lotus Domino server.

Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability

No exploit is required.

Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability

Solution:
The vendor has released a hotfix to address this issue. Customers are advised to contact Microsoft Product Support Services to obtain the hotfix.

Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability

References:

• Description of the Microsoft Outlook 2002 Connector post-Service Pack 1 hotfix p (Microsoft)
  
• Outlook 2002 Connector for IBM Lotus Domino Homepage (Microsoft)
  
• The Outlook 2002 Connector for IBM Lotus Domino saves passwords when you use it (Microsoft)