[7568] in bugtraq
Re: New Eudora bug ?
daemon@ATHENA.MIT.EDU (Anthony Roybal)
Fri Aug 7 18:00:32 1998
Date: Fri, 7 Aug 1998 11:32:56 -0700
Reply-To: Anthony Roybal <tony@UCLINK.BERKELEY.EDU>
From: Anthony Roybal <tony@UCLINK.BERKELEY.EDU>
X-To: Patrick Oonk <patrick@PINE.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199808071619.SAA28789@atro.pine.nl>
Here is Qualcomm's alert from:
<http://eudora.qualcomm.com/security.html>
Anthony
Eudora Pro Security Alert
You may have read recently that there is potential for unauthorized
programs to be run on your system through the use of hostile Java scripts
and/or applets. This problem affects users of the Windows versions of
Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and
4.0.1. Note that Eudora Light users, users of previous versions of Eudora
Pro, and Macintosh users are not susceptible to these Java attacks.
QUALCOMM became aware of this problem yesterday (8/6/98) and will be
offering an updater for Windows Eudora Pro and CommCenter 4.0.1 and 4.0
within the next few hours that addresses these issues and will prevent
these types of attacks. QUALCOMM will also make available a new Eudora Pro
4.1 beta that contains these fixes by Friday afternoon Pacific Standard
Time.
Until the new software is posted, you can protect yourself by turning off
the Microsoft viewer from within Eudora. To do this, follow these steps:
1.In Eudora, go to the Tools menu and choose "Options". 2.On the left hand
side of the options window, select "Viewing Mail" 3.On the right hand side
of the options window, make sure the box next to "Use Microsoft's viewer"
is UNCHECKED.
4.Click on "OK" on the bottom of the window.
Eudora Pro Email, Eudora Pro CommCenter and Eudora Light are not
susceptible to buffer overflow security problem
QUALCOMM rigorously tested its line of Eudora email software after becoming
aware of the buffer overflow security problems recently found in Microsoft
and Netscape email programs. QUALCOMM is pleased to announce that its
Eudora email products are not susceptible to the types of attacks that can
harm the computers of users of these other products.
QUALCOMM tested Eudora Pro and Eudora CommCenter versions 4.0, as well as
Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh
platforms. In all cases, Eudora does not allow any unauthorized programs to
be automatically executed on a user's system.
At 6:19 PM +0200 8/7/98, Patrick Oonk wrote regarding "New Eudora bug ?":
> http://www.nytimes.com/library/tech/98/08/biztech/articles/07email-code.html
>
> SAN FRANCISCO -- Just days after a serious security flaw was revealed in two
> popular electronic mail programs, an equally troubling vulnerability has been
> discovered in Eudora, the most widely used of all e-mail software.
>
> The Eudora flaw makes it possible for a malicious computer user with
>little or
> no programming expertise to booby-trap an e-mail message by inserting a
> seemingly harmless link to an Internet location that in fact executes
> malignant code. This could permit an attacker to destroy or steal data or to
> otherwise tamper with a personal computer.
--
Anthony Roybal
Information Systems & Technology
University of California at Berkeley
<mailto:ar@socrates.berkeley.edu>
<http://socrates.Berkeley.EDU/~ar>
