Recently, various security-related web pages have posted warnings of potential vulnerabilities in Windows Eudora. One such warning can be viewed here: http://www.secunia.com/advisories/9729/.
Secunia Advisory SA9729 specifically references two issues.
First issue:
"A boundary error when handling overly long filenames (250 characters or longer) can be exploited to cause a buffer overflow. This crashes Eudora but may potentially also allow exection [sic] of arbitrary code."
The Eudora developers have investigated and fixed this issue. The fix will appear in our upcoming 6.0.1 release. Although the possibility of "potentially also allow exection [sic] of arbitrary code" is only speculation, the Eudora team takes this issue (and indeed all security issues) seriously.
Second issue:
"It is possible to cause Eudora to show a different name than the actual attachment name. This may be exploited to trick users into opening malicious files."
The Eudora developers are currently in the process of investigating this issue. While it may be possible to send a malicious attachment to a Eudora user and have Eudora show a different attachment name, actually launching that attachment from within Eudora will subject the attachment to Eudora's security protections as configured in the Extra Warnings settings panel. If the "Launch a program from a message" option is checked, which is the default, the user is warned of the potential harm of launching the attachment.
It is always recommended that users should not blindly open attachments from people they do not know. By default, Eudora warns the user when launching a potentially harmful attachment from within a message and will also warn the user if the attachment is launched from within Windows Explorer.
September 25, 2000 — Word 2000
QUALCOMM has become aware of a potential security risk involving harmful .dll files when Windows
versions of Eudora email software are used to launch Word files by users
of Microsoft Word 2000. No actual incidents have been reported. Eudora
5.0.1, which will be available for download soon, includes a fix.
Users of Word 2000
should install Eudora 5.0.1 as soon as it becomes available. In the meantime,
users of Word 2000 should launch that program outside of Eudora first
when they have a Word attachment in Eudora they'd like to launch. This
will load the proper .dll files for the Word 2000 application.
August 2000 — Mac Password
Qualcomm has become aware
of a bug involving saved passwords in Eudora 4.3.2 for the Macintosh. For
best password security, users who do not use the "save password" option
should download and install the
4.3.3 updater or upgrade to the new
Eudora 5.0
This bug only affects Eudora 4.3.2 for the Macintosh.
April 2000 — File Extensions
QUALCOMM
urges you always to be careful with email from people you do not know
and use caution when launching attachments or URLs.
Cyber attackers continue
to look for creative ways of using email to execute malicious attacks.
One possible method that recently has been described is to attach an executable
(".exe") file and link to that file from the body of an email message
through another attached file by using the Windows shortcut file type
(".lnk"). The LOVELETTERFORYOU virus that uses the “.vbs” file extension
is another. These forms of attack can work in any Windows email client
that allows users to launch files from within an email message.
By default, Windows
Eudora 4.2 and above already warn you when you seek to launch a wide array
of attachments. The following instructions can be used in Eudora 4.2.1
and above to change Eudora's settings to also warn for .lnk and .vbs files:
- Copy this entire
URL (including the brackets)
<x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|>
- Create a new message in Eudora and paste the URL into the body of the new message
- Alt-Click the URL
to bring up the Change Option dialog
- Check to make sure
the dialog's New Value field contains this: exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|
with no spaces and ending with a vertical bar, then click "OK"
- If you see "%"
symbols in the New Value field, edit the field to match the value in
step 4.
For versions
of Eudora earlier than 4.2.1, follow these instructions: Close Eudora,
then open the "Eudora.ini" file in your Eudora program folder with a text
editor, such as Notepad. Find the line that has the text "[Settings]"
on it, and add the following line right after that one:
WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|
Make sure you use
the above text exactly, including the vertical bar that follows "vbs".
You also can use this
syntax with either method above to designate other file extensions you’d
like to be warned about. Simply add the extension and end with a vertical
bar.
If you are using a
version of Eudora earlier than 4.2.1, we recommend you upgrade
to Eudora 5.0. The full application is available for free when used
in Sponsored mode.
March 1999 — JavaScripts
A potential security
risk exists in Eudora Pro 3.0 or later for both Windows and Macintosh
versions. The risk surfaces when a cyberattacker sends you an email message
containing specific kinds of JavaScript and you click on destructive links
contained in the message.
What can you do to
be safe? We recommend Eudora users do one of two things:
- Turn off JavaScript
in your default browser. Please refer to your browser's documentation
for instructions.
- Create a new Eudora
Attachments directory. Click here
for instructions.
