Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Eudora incoming email affects behavior

From: ryo_ohki_d () EXCITE COM (jeff Foster)
Date: Sun, 20 Feb 2000 13:16:54 -0800

On Fri, 18 Feb 2000 01:52:46 -0800, Jay D. Dyson wrote:


 -----BEGIN PGP SIGNED MESSAGE-----

 On Fri, 18 Feb 2000, Thomas Kluegel wrote:

 > When a person downloads and uses the newly released adware Eudora 4.3,
 > Qualcomm eventually sends out an email entitled:
 >
 > "Eudora Profile Information for youraddress () domain com".
 >
 > When Eudora receives this email it recognizes it as special and loads
 > personal profile information.  This seems very questionable, to
 > distribute a client that can respond to special message emails sent to
 > it.  One wonders, what else can it do?  Whatever Qualcomm can make it

do

 > via email, surely a forged email sent by anybody could do the same.
 > Also, we have to take their word that arbitrary code execution isn't a
 > part of the new Eudora's design.
 >
 > Am I off in the weeds with my concern on this?

      Sounds like a sane concern to me.  For what it's worth, any
 special event triggered by a simple e-mail with little or no attempt at
 serious authentication of origin strikes me as an issue of merit.

      I'd like to see a copy of this message with full headers.  With
 that alone, we can play with some forgeries and see what shakes loose.

It

 should prove interesting, to say the least.

 - -Jay

    (                                                             ______
    ))   .-- "There's always time for a good cup of coffee." --.
===<--.
  C|~~| (>-- Jay D. Dyson -- jdyson () techreports jpl nasa gov --<) |   =

|-'

   `--'  `- It's a thankless job, but I've got Karma to burn. -'  `-----'

 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.2
 Comment: Email me for my current public key.

 iQCVAwUBOK0WcYzYnY/37fGZAQHtZgQAl+aVL7kDdsoTlUX/mgvECj2ncFTVIWes
 gurUy1Zs5BKRmJ6B21BInlxS7Jmx265yjwLnnId49PQjsvMMd193OKBoP1E7Us/Z
 aUMHJTpEBo7QESnqArISYvlauqiH3YViZwSP1iCHYLvnXvIz5wa5P6zp54I38bqM
 VRWDDzA5Wdk=
 =qMB6
 -----END PGP SIGNATURE-----


I'd also like a copy. I've been playing around with eudora and noticed some
other, well, nifty tricks it allows. i am compiling a quick list of some of
the cooler trick and will send them on this list soon.

You're never too old to learn something stupid.

_______________________________________________________
Get 100% FREE Internet Access powered by Excite
Visit http://freeworld.excite.com
Previous By Date Next
Previous By Thread Next

Current thread: