Microsoft Outlook Connector for IBM Lotus Domino vulnerability

Affected version: 2002, 2003

Juha-Matti Laurio reported a vulnerability in the Microsoft Outlook Connector for IBM Lotus Domino. A user can choose to store passwords locally in violation of Group Policy. A remote authenticated user can select ‘Remember password’ when authenticating to a Lotus Domino server, causing the user’s password to be cached locally even if there is a Group Policy that prohibits local password caching.

The flaw resides in ‘MSOC32.dll’ and ‘MSOCep.dll’.  The system may also store older, previous passwords.
 
Impact:  A user can choose to store passwords locally in violation of Group Policy.
 
Solution:  A hotfix is available from Microsoft Product Support Services, as described in a knowledge base article:

http://office.microsoft.com/en-gb/assistance/HA011364481033.aspx

http://securitytracker.com/alerts/2005/Mar/1013583.html

Leave a Reply