Current versions of the popular email program Eudora may have nifty innovations like reading HTML and other special instructions, but these abilities are also leaving it vulnerable to dangerous attacks.
The flaw in Eudora 4.0 and 4.01 for Windows could enable attackers to use links included in email messages to find and launch potentially destructive software applications. On Friday, Qualcomm, makers of Eudora products, acknowledged the problem in its product.
“What allows this is the fact that Eudora supports HTML within an email message and has the ability to support Java applets and JavaScript within email messages,” said Matt Parks, product-line manager for the product.
While no known instances of attack have occurred, the potential for destruction is harrowing. The code can delete information, destroy files, or steal a password. This sort of destructive potential has been seen in earlier flaws in Netscape’s (NSCP) and Microsoft’s (MSFT) email products.
An attack could occur in an email message bearing an embedded link that seemingly points to a normal Web page location. The link will actually use scripting functions to find and launch the malicious code that accompanied the message in a file attachment.
Richard M. Smith, president of Massachusetts-based Phar Lap Software discovered the powerful exploit in Qualcomm’s (QCOM) Eudora on Wednesday.
“I believe I have a much more serious security hole in the Windows 95 version of Eudora 4.0 and 4.01,” Smith wrote in a letter to Qualcomm. “This hole allows a malicious person to create a booby-trapped email message that will run a Windows executable program attached to the message.”
How dangerous is it?
“Take the fact that there’s 18 million copies of Eudora out there…. From a home user’s perspective, I’d say it’s pretty problematic,” said security expert Russ Cooper, who moderates the NTBugTraq mailing list.
“It’s a complete compromise,” he said, noting that a malicious user could use the flaw to install the recently released Back Orifice hacker program, which can covertly monitor Windows 95 or 98 computers.
To remedy the problem, Qualcomm planned to issue an updated software version called Eudora 4.02 as early as Friday. In the meanwhile, users can find instructions at Qualcomm’s Web site for turning off the feature that executes Java and JavaScript. Eudora uses Windows’ built-in HTML rendering engine, written by Microsoft and used also by Internet Explorer, to handle such scripts.
But Jeff Beckley, lead developer for Eudora for Windows, said there was no reason to think that the trick could only be performed through Java and JavaScript instructions. Though he hasn’t done analysis, he said that another applet and scripting code, such as Microsoft’s ActiveX or VB Script, could be used to perform the software exploitation.
Smith and Eudora representatives don’t believe the email programs of Microsoft and Netscape are affected by the same problem.
Still, Netscape is looking into it. “We are investigating this possibility. Looking at what we know about the bug so far, it doesn’t look like it will be an immediate problem to Netscape users,” said Chris Saito, group product manager for Communicator. “Since we have obviously different implementations of JavaScript, I don’t believe it will be a problem.” If it does become an issue, the company will address it, he said.
A Microsoft spokesperson said the company had determined that its Outlook email products are not effected by the problem afflicting Eudora.
