Lotus Notes Client R5 is a messaging and collaboration tool that contains a built in web browser. The web browser implements a Java Virtual Machine (VM) designed specifically for Lotus Notes. A security vulnerability exists in the Execution Control List (ECL) feature within the Java VM that may allow a third party intruder to verify the existence of files on the system. The ECL utilizes a much more lenient ruleset when accessing local files than the standard Java security model implemented by JDK 1.1 which prohibits any access to local files. The ECL will present the user with a dialogue box whenever he/she attempts to read an existing local file if the getSystemResource() method of the java.lang.ClassLoader class is used. At this point, the user can either authorize execution or abort the operation. By observing the time elapsed during execution, it is possible to verify the existence of files on the target machine through a specially crafted java applet. If a malicious website operator were to host such a java applet on their site, they would be able to determine what files exist on the visitor's systems.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org.