Description of the Eudora Security Hole

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Fri, 7 Aug 1998 14:58:53 -0400
From: Richard M. Smith <rms () PHARLAP COM>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Description of the Eudora Security Hole

Hello,

Attached is my original message to Qualcomm and Microsoft which describes
the booby-trapped link bug which I found last weekend in Eudora 4 and was reported in
the NY Times today.

The lesson from this bug is that its a really bad idea for an Email reader to automatically
execute JavaScript, Java, and ActiveX in Email messages.  These programming languages
shoule be turned off by default in Email. Qualcomm is planning to make this change in Eudora.
Hopefully Microsoft and Netscape will do the samething in their Email reader products.

Richard M. Smith
Phar Lap Software, Inc.

http://smallest.pharlap.com -- "The World's Smallest Web Server"

=========================================================================

Dear Qualcomm and Microsoft,

Over the last week there has been a great deal of news
coverage regarding the buffer overflow errors in the Outlook
Express and Netscape Email readers.  These errors were found
by researchers from Finland.  According to news reports, Eudora is
immune to these same errors.  However, I believe I have a much more
serious security hole in the Windows 95 version of Eudora 4.0 and 4.01.
This hole allows a malicious person to create a booby-trapped Email
message that will run a Windows executable program attached to the message.
All that is required to activate the booby-trap is for the person reading the Email
message to click on a link in the text of the message.  The link
appears in the message text as a legitimate link to a page or article
on the Web.

The program can potentially cause all sorts
of damage such as erasing the hard disk, installing a virus
of the victim's computer, or stealing private files and
Email messages.  The program to be executed can be either
a standard Windows .EXE file or a DOS batch file.

The booby-trapped Email message requires no special
skills or programmer utilities.  The text of the message
can be typed directly into Eudora as HTML or copied from
a file.  The program to be executed is sent as a
standard attachment in Eudora.

I believe that the security hole was introduced in Eudora 4
with adoption of Microsoft's Internet Explorer 4 browser to
display HTML-based Email messages.  To actually fix the problem may
take some work.   The booby-trap Email message exploits a number of anomalies
in Eudora 4 and Internet Explorer 4.  It is unclear exactly who

will need to fix the problem, whether it is Qualcomm, Microsoft, or both.

There does exist a work-around to the problem which is
to turn off the Microsoft Email viewer in Eudora.  However, using
this fix means that users lose the ability to view
HTML Email messages.  The bug also seems to go away if
Internet Explorer 3 is installed on the machine instead
of IE4 or if Netscape Navigator is running at the same time
as Eudora.

I've created a demo Email message of the security
hole that runs a harmless program that prints out some
text about the problem.  It was tested on 6 different
systems running Eudora 4.0 and 4.01 with IE4 and the demo worked
on all of these systems.  All of the systems were running
Windows 95.  The security hole likely exists on
Windows NT and Windows 98 also, but we haven't had a
chance to verify this yet.

The demo version uses the following short "pitch letter":

------------------------------------------------------------------
News flash -- Clinton resigns -- full story at the New York Times:

     http://www.nytimes.com
------------------------------------------------------------------

The link "http://www.nytimes.com"; is hilighted by Eudora and if
it is clicked on, is booby-trapped to run an executable name
"BADNEWS.EXE" instead of going to the New York Times Web site.
This executable is attached to the Email message but no
attachment icons are displayed by Eudora at the bottom of
the message.  BADNEWS.EXE is a simple C program that prints
out the following text:


--------------------------------------------------------------------------------
This is a Windows .EXE file which was automatically executed
by Eudora from an Email message.  This program is harmless, but just as
easily could have been a Trojan horse program that erased your hard
disk, infected your computer with a virus, or stole all of your
private files.

The program was sent to you as a hidden attachment to the "Clinton Resigns"
Email message.  (No, he didn't really resign!).  Because of a number of
security holes in Eudora, this .EXE file was run by mistake when you clicked on
the booby-trapped link to the New York Times.

Reading Email in Eudora is no longer safe.  As a temporary solution, we
recommend immediately turning off the Microsoft viewer in Eudora:

        1.  Select the "Options..." command on the Eudora "Tools" menu
        2.  Select the "Viewing Mail" icon in the "Category" list
        3.  Click off "Use Microsoft's viewer"
        4.  Push the "OK" button.

Hit enter to exit -->

--------------------------------------------------------------------------------

At Phar Lap, we discovered the key holes in Eudora 4/IE4 while creating client/server
applications based on HTML and JavaScript for our realtime operating
system product line (http://smallest.pharlap.com and

http://jshelper.pharlap.com).  We have also found a number of other major
security holes in Eudora 4 that are not quite as serious.  We haven't
fully characterized these problems yet so I can't pass along any
information about them quite yet.

My one question is: what is the best way to proceed to get the
booby-trapped link security hole fixed?

Richard M. Smith
President, Phar Lap Software, Inc.

PS.  None of the links in this message have been booby-trapped! :)