Vulnerability Development mailing list archives
Re: Eudora incoming email affects behavior
From: jdyson () TECHREPORTS JPL NASA GOV (Jay D. Dyson)
Date: Fri, 18 Feb 2000 01:52:46 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 18 Feb 2000, Thomas Kluegel wrote:
When a person downloads and uses the newly released adware Eudora 4.3, Qualcomm eventually sends out an email entitled: "Eudora Profile Information for youraddress () domain com". When Eudora receives this email it recognizes it as special and loads personal profile information. This seems very questionable, to distribute a client that can respond to special message emails sent to it. One wonders, what else can it do? Whatever Qualcomm can make it do via email, surely a forged email sent by anybody could do the same. Also, we have to take their word that arbitrary code execution isn't a part of the new Eudora's design. Am I off in the weeds with my concern on this?
Sounds like a sane concern to me. For what it's worth, any special event triggered by a simple e-mail with little or no attempt at serious authentication of origin strikes me as an issue of merit. I'd like to see a copy of this message with full headers. With that alone, we can play with some forgeries and see what shakes loose. It should prove interesting, to say the least. - -Jay ( ______ )) .-- "There's always time for a good cup of coffee." --. >===<--. C|~~| (>-- Jay D. Dyson -- jdyson () techreports jpl nasa gov --<) | = |-' `--' `- It's a thankless job, but I've got Karma to burn. -' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Email me for my current public key. iQCVAwUBOK0WcYzYnY/37fGZAQHtZgQAl+aVL7kDdsoTlUX/mgvECj2ncFTVIWes gurUy1Zs5BKRmJ6B21BInlxS7Jmx265yjwLnnId49PQjsvMMd193OKBoP1E7Us/Z aUMHJTpEBo7QESnqArISYvlauqiH3YViZwSP1iCHYLvnXvIz5wa5P6zp54I38bqM VRWDDzA5Wdk= =qMB6 -----END PGP SIGNATURE-----
Current thread:
- IE Java, (continued)
- IE Java Nicolas Rachinsky (Feb 12)
- Unreal Webserver Adam Boileau (Feb 13)
- Re: Unreal Webserver Arturo (Feb 14)
- vulnerability database Ben Valenti (Feb 16)
- Re: vulnerability database H D Moore (Feb 17)
- Re: vulnerability database Yiorgos Adamopoulos (Feb 17)
- Re: vulnerability database Iván Arce (Feb 17)
- Re: vulnerability database Dragos Ruiu (Feb 17)
- Re: vulnerability database Jay D. Dyson (Feb 17)
- Eudora incoming email affects behavior Thomas Kluegel (Feb 17)
- Re: Eudora incoming email affects behavior Jay D. Dyson (Feb 18)
- Re: Eudora incoming email affects behavior Bluefish (Feb 29)