IP: Eudora "Stealth Attachment" Security Hole Discovered from RISKS

[Dave Farber <farber () cis upenn edu>]

> Date: Thu, 27 Apr 2000 18:35:39 -0500
> From: Bennett Haselton <bennett () peacefire org>
> Subject: Peacefire: Eudora "Stealth Attachment" Security Hole Discovered
>
> Peacefire has discovered a security hole in all versions of Eudora mail for
> Windows, that can allow a hacker to execute code on a user's machine, by
> sending the user e-mail and having them click on a link:
>
>         http://www.peacefire.org/security/stealthattach/
>
> (For example, a Eudora user would see this message with the URL above made
> into a hyperlink so that you can click on it and load it into your browser.
> Using the "stealth attachment" security exploit, you can force code to run
> on the user's machine when they click on the link.  Don't worry, *this*
> message is safe :-) But you can go to the above URL and request a
> "demonstration mail" to be sent to you.)
>
> Security holes that allow you to run code on a remote user's machine just by
> sending them e-mail, are extremely dangerous -- a hacker could use this to
> steal or erase any classified data on a remote user's hard drive, even if
> that user were behind a corporate firewall and had anti-virus software
> running.  A virus writer could use the exploit to write a virus that could
> spread to almost all Eudora users -- numbering in the millions -- and
> potentially do hundreds of millions of dollars' worth of damage.  (Unlike
> most such tricks, this exploit does not require the user to do anything
> "naive", like run an .exe that is sent to them as an attachment.)  USA Today
> reported last year on the "BubbleBoy" virus, which similarly used a security
> hole in Microsoft Outlook to cause code to run on a user's machine, simply
> by reading an e-mail message:
> http://www.usatoday.com/life/cyber/tech/ctg633.htm
>
> Unfortunately, unlike the security hole that Peacefire discovered last
> week:
>         http://www.peacefire.org/security/jscookies/
>         http://news.cnet.com/news/0-1005-200-1717169.html
>         http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html
>         http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm
>
> this security hole doesn't involve any cool industry buzzwords like
> "javascript" or "cookies".  This one just involves -- *YAWN* --
> e-mail.  That is, like, *so* 20th-century.  Sorry if this is inconvenient
> for journalists writing about this stuff :-)
>
> bennett () peacefire org     (425) 649 9024      http://www.peacefire.org