Bugtraq mailing list archives
Re: New Eudora bug ?
From: tony () UCLINK BERKELEY EDU (Anthony Roybal)
Date: Fri, 7 Aug 1998 11:32:56 -0700
Here is Qualcomm's alert from: <http://eudora.qualcomm.com/security.html> Anthony Eudora Pro Security Alert You may have read recently that there is potential for unauthorized programs to be run on your system through the use of hostile Java scripts and/or applets. This problem affects users of the Windows versions of Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that Eudora Light users, users of previous versions of Eudora Pro, and Macintosh users are not susceptible to these Java attacks. QUALCOMM became aware of this problem yesterday (8/6/98) and will be offering an updater for Windows Eudora Pro and CommCenter 4.0.1 and 4.0 within the next few hours that addresses these issues and will prevent these types of attacks. QUALCOMM will also make available a new Eudora Pro 4.1 beta that contains these fixes by Friday afternoon Pacific Standard Time. Until the new software is posted, you can protect yourself by turning off the Microsoft viewer from within Eudora. To do this, follow these steps: 1.In Eudora, go to the Tools menu and choose "Options". 2.On the left hand side of the options window, select "Viewing Mail" 3.On the right hand side of the options window, make sure the box next to "Use Microsoft's viewer" is UNCHECKED. 4.Click on "OK" on the bottom of the window. Eudora Pro Email, Eudora Pro CommCenter and Eudora Light are not susceptible to buffer overflow security problem QUALCOMM rigorously tested its line of Eudora email software after becoming aware of the buffer overflow security problems recently found in Microsoft and Netscape email programs. QUALCOMM is pleased to announce that its Eudora email products are not susceptible to the types of attacks that can harm the computers of users of these other products. QUALCOMM tested Eudora Pro and Eudora CommCenter versions 4.0, as well as Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh platforms. In all cases, Eudora does not allow any unauthorized programs to be automatically executed on a user's system. At 6:19 PM +0200 8/7/98, Patrick Oonk wrote regarding "New Eudora bug ?":
http://www.nytimes.com/library/tech/98/08/biztech/articles/07email-code.html SAN FRANCISCO -- Just days after a serious security flaw was revealed in two popular electronic mail programs, an equally troubling vulnerability has been discovered in Eudora, the most widely used of all e-mail software. The Eudora flaw makes it possible for a malicious computer user with little or no programming expertise to booby-trap an e-mail message by inserting a seemingly harmless link to an Internet location that in fact executes malignant code. This could permit an attacker to destroy or steal data or to otherwise tamper with a personal computer.
-- Anthony Roybal Information Systems & Technology University of California at Berkeley <mailto:ar () socrates berkeley edu> <http://socrates.Berkeley.EDU/~ar>
Current thread:
- Re: Eudora executes (Java) URL, (continued)
- Re: Eudora executes (Java) URL John D. Hardin (Aug 08)
- IRIX IP Spoofing/TCP Sequence Attack Update SGI Security Coordinator (Aug 06)
- IRIX BIND DNS Vulnerabilities Update SGI Security Coordinator (Aug 06)
- BSD/Qualcomm qpopper Vulnerability SGI Security Coordinator (Aug 06)
- University of Washington imapd daemon Vulnerability SGI Security Coordinator (Aug 06)
- New Eudora bug ? Patrick Oonk (Aug 07)
- YA Apache DoS attack Dag-Erling Coidan Smørgrav (Aug 07)
- Re: YA Apache DoS attack Marc Slemko (Aug 07)
- Re: YA Apache DoS attack Dean Gaudet (Aug 07)
- Re: YA Apache DoS attack Kovacs Andrei (Aug 15)
- Re: New Eudora bug ? Anthony Roybal (Aug 07)