Bugtraq mailing list archives

Re: New Eudora bug ?

From: tony () UCLINK BERKELEY EDU (Anthony Roybal)
Date: Fri, 7 Aug 1998 11:32:56 -0700


Here is Qualcomm's alert from:

<http://eudora.qualcomm.com/security.html>

Anthony


Eudora Pro Security Alert

You may have read recently that there is potential for unauthorized
programs to be run on your system through the use of hostile Java scripts
and/or applets. This problem affects users of the Windows versions of
Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and
4.0.1. Note that Eudora Light users, users of previous versions of Eudora
Pro, and Macintosh users are not susceptible to these Java attacks.

QUALCOMM became aware of this problem yesterday (8/6/98) and will be
offering an updater for Windows Eudora Pro and CommCenter 4.0.1 and 4.0
within the next few hours that addresses these issues and will prevent
these types of attacks. QUALCOMM will also make available a new Eudora Pro
4.1 beta that contains these fixes by Friday afternoon Pacific Standard
Time.

Until the new software is posted, you can protect yourself by turning off
the Microsoft viewer from within Eudora. To do this, follow these steps:

1.In Eudora, go to the Tools menu and choose "Options". 2.On the left hand
side of the options window, select "Viewing Mail" 3.On the right hand side
of the options window, make sure the box next to "Use Microsoft's viewer"
is UNCHECKED.
4.Click on "OK" on the bottom of the window.

Eudora Pro Email, Eudora Pro CommCenter and Eudora Light are not
susceptible to buffer overflow security problem

QUALCOMM rigorously tested its line of Eudora email software after becoming
aware of the buffer overflow security problems recently found in Microsoft
and Netscape email programs. QUALCOMM is pleased to announce that its
Eudora email products are not susceptible to the types of attacks that can
harm the computers of users of these other products.

QUALCOMM tested Eudora Pro and Eudora CommCenter versions 4.0, as well as
Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh
platforms. In all cases, Eudora does not allow any unauthorized programs to
be automatically executed on a user's system.



At 6:19 PM +0200 8/7/98, Patrick Oonk wrote regarding "New Eudora bug ?":

http://www.nytimes.com/library/tech/98/08/biztech/articles/07email-code.html

SAN FRANCISCO -- Just days after a serious security flaw was revealed in two
popular electronic mail programs, an equally troubling vulnerability has been
discovered in Eudora, the most widely used of all e-mail software.

The Eudora flaw makes it possible for a malicious computer user with
little or
no programming expertise to booby-trap an e-mail message by inserting a
seemingly harmless link to an Internet location that in fact executes
malignant code. This could permit an attacker to destroy or steal data or to
otherwise tamper with a personal computer.


--
Anthony Roybal
Information Systems & Technology
University of California at Berkeley

<mailto:ar () socrates berkeley edu>
<http://socrates.Berkeley.EDU/~ar>

Current thread:

Re: Eudora executes (Java) URL, (continued)
- - - Re: Eudora executes (Java) URL John D. Hardin (Aug 08)
  - IRIX IP Spoofing/TCP Sequence Attack Update SGI Security Coordinator (Aug 06)
  - IRIX BIND DNS Vulnerabilities Update SGI Security Coordinator (Aug 06)
  - BSD/Qualcomm qpopper Vulnerability SGI Security Coordinator (Aug 06)
  - University of Washington imapd daemon Vulnerability SGI Security Coordinator (Aug 06)
  - New Eudora bug ? Patrick Oonk (Aug 07)
    - YA Apache DoS attack Dag-Erling Coidan Smørgrav (Aug 07)
    - Re: YA Apache DoS attack Marc Slemko (Aug 07)
    - Re: YA Apache DoS attack Dean Gaudet (Aug 07)
    - Re: YA Apache DoS attack Kovacs Andrei (Aug 15)
    - Re: New Eudora bug ? Anthony Roybal (Aug 07)