Vulnerability Development mailing list archives

Eudora incoming email affects behavior

From: kluegel () LANL GOV (Thomas Kluegel)
Date: Fri, 18 Feb 2000 02:34:32 -0000


When a person downloads and uses the newly released adware
Eudora 4.3, Qualcomm eventually sends out an email entitled:

"Eudora Profile Information for youraddress () domain com".

When Eudora receives this email it recognizes it as special
and loads personal profile information.  This seems very
questionable, to distribute a client that can respond to
special message emails sent to it.  One wonders, what else
can it do?  Whatever Qualcomm can make it do via email,
surely a forged email sent by anybody could do the same.
Also, we have to take their word that arbitrary code
execution isn't a part of the new Eudora's design.

Am I off in the weeds with my concern on this?

-- Tom Kluegel

Current thread:

Re: WINS attack?, (continued)
- Re: WINS attack? John Hall (Feb 11)
- IE Java Nicolas Rachinsky (Feb 12)
- Unreal Webserver Adam Boileau (Feb 13)
  - Re: Unreal Webserver Arturo (Feb 14)
  - vulnerability database Ben Valenti (Feb 16)
    - Re: vulnerability database H D Moore (Feb 17)
    - Re: vulnerability database Yiorgos Adamopoulos (Feb 17)
    - Re: vulnerability database Iván Arce (Feb 17)
    - Re: vulnerability database Dragos Ruiu (Feb 17)
    - Re: vulnerability database Jay D. Dyson (Feb 17)
    - Eudora incoming email affects behavior Thomas Kluegel (Feb 17)
    - Re: Eudora incoming email affects behavior Jay D. Dyson (Feb 18)
    - Re: Eudora incoming email affects behavior Bluefish (Feb 29)