Bugtraq mailing list archives

Re: Eudora security bug - executes URL

From: aleph1 () DFW NET (Aleph One)
Date: Fri, 7 Aug 1998 16:03:24 -0500


On Fri, 7 Aug 1998, Stout, Bill wrote:

Problem is the way Eudora 4x interacts with MSIE 4x and javascript.


Please detail that on the list, since many of us can't enter NYT.  Maybe
Aleph One can also expand on that.  I would expect that any program with
integrated Internet capability would have similar security problems.


Note: I had no access to the exploit for this vulnerability so I have not
clue if this is really how it works. Its also been over a month since I
looked at the IE HTML control and my memory is not the best. I do not
consider myself a Windows programmer. Finally, I don't have the time to
test this conjectures. Adam Shostack was the person that made me aware of
the potential problems of using the MS HTML component.

As far as I can tell the problem is that Eudora fails to turn off
JavaScript/Java when displaying HTML messages with the IE HTML components.

As you may or may not know, IE is little more than a wrapper around the MS
HTML rendering component. Many other vendors, including Qualcomm, find it
easy to reuse this component to display HTML instead of having to write
their own HTML rendering engine or to license one from a third party.
The HTML components has many options, including whether to turn on or off
things like Java/JavaScript.

In essence the exploit send a HTML email message to the user with an
executable attached to it. The message has a link in it that executes
some JavaScript (I am assuming onClick, I dont know why they would not use
onLoad instead and do away with having to client on anything) which in
turn executed the attached file.

The are no security checks performed as this is a local file and is
trusted.

It should be noted that any products using the HTML component may also
fail to turn of things like Java and JavaScript and may be vulnerable
to similar attacks.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: Eudora security bug - executes URL Aleph One (Aug 07)
- <Possible follow-ups>
- Re: Eudora security bug - executes URL Steve Bellovin (Aug 07)