The bug affects Lotus Notes versions 4.5 and 4.6, Lotus said. The problem allows encrypted mail sent from Notes to possibly cross the network in the clear and get stored on the mail server unencrypted, according to a bug advisory posted yesterday by Bugtraq and Lotus.
Lotus, an IBM subsidiary, said it is aware of the bug and is currently working on a fix. It added that there is no similar problem in the upcoming Notes release 5, also known as R5, which is due out by the end of this month.
Usually the Notes client sends at least two copies of newly created mail. One copy is sent to the recipient, the other is stored in the "Sent Mail" folder of the sender's Notes server.
The bug causes the copy in the sender's "Sent Mail" folder to not be encrypted, Lotus said. As a result, the message is sent unencrypted across a network and stored to a Notes server in an unencrypted form.
The message may be intercepted and read by analyzing the network traffic between the sender's Notes client and the server or by directly accessing the "Sent Mail" folder on the Notes server, according to the advisory.
"The user is not given any warning or notification about the problem, and the problem causes almost no noticeable side effects. As a result, if a user is affected by the problem, this will probably remain unnoticed" the advisory stated.
Although a patch has not been posted on the Lotus Web site, the companies recommend two workarounds.
First, administrators should check to make sure that the correct syntax is used to specify the "Mail File Location" in the "Location Document." And, users should click the button to "Encrypt Saved Mail" in the "Mail Preferences" area every time they send an encrypted message, the company explained.