---------- Forwarded message ---------- Date: Fri, 7 Aug 1998 14:58:53 -0400 From: Richard M. Smith <rmsat_private> To: NTBUGTRAQat_private Subject: Description of the Eudora Security Hole Hello, Attached is my original message to Qualcomm and Microsoft which describes the booby-trapped link bug which I found last weekend in Eudora 4 and was reported in the NY Times today. The lesson from this bug is that its a really bad idea for an Email reader to automatically execute JavaScript, Java, and ActiveX in Email messages. These programming languages shoule be turned off by default in Email. Qualcomm is planning to make this change in Eudora. Hopefully Microsoft and Netscape will do the samething in their Email reader products. Richard M. Smith Phar Lap Software, Inc. http://smallest.pharlap.com -- "The World's Smallest Web Server" ========================================================================= Dear Qualcomm and Microsoft, Over the last week there has been a great deal of news coverage regarding the buffer overflow errors in the Outlook Express and Netscape Email readers. These errors were found by researchers from Finland. According to news reports, Eudora is immune to these same errors. However, I believe I have a much more serious security hole in the Windows 95 version of Eudora 4.0 and 4.01. This hole allows a malicious person to create a booby-trapped Email message that will run a Windows executable program attached to the message. All that is required to activate the booby-trap is for the person reading the Email message to click on a link in the text of the message. The link appears in the message text as a legitimate link to a page or article on the Web. The program can potentially cause all sorts of damage such as erasing the hard disk, installing a virus of the victim's computer, or stealing private files and Email messages. The program to be executed can be either a standard Windows .EXE file or a DOS batch file. The booby-trapped Email message requires no special skills or programmer utilities. The text of the message can be typed directly into Eudora as HTML or copied from a file. The program to be executed is sent as a standard attachment in Eudora. I believe that the security hole was introduced in Eudora 4 with adoption of Microsoft's Internet Explorer 4 browser to display HTML-based Email messages. To actually fix the problem may take some work. The booby-trap Email message exploits a number of anomalies in Eudora 4 and Internet Explorer 4. It is unclear exactly who will need to fix the problem, whether it is Qualcomm, Microsoft, or both. There does exist a work-around to the problem which is to turn off the Microsoft Email viewer in Eudora. However, using this fix means that users lose the ability to view HTML Email messages. The bug also seems to go away if Internet Explorer 3 is installed on the machine instead of IE4 or if Netscape Navigator is running at the same time as Eudora. I've created a demo Email message of the security hole that runs a harmless program that prints out some text about the problem. It was tested on 6 different systems running Eudora 4.0 and 4.01 with IE4 and the demo worked on all of these systems. All of the systems were running Windows 95. The security hole likely exists on Windows NT and Windows 98 also, but we haven't had a chance to verify this yet. The demo version uses the following short "pitch letter": ------------------------------------------------------------------ News flash -- Clinton resigns -- full story at the New York Times: http://www.nytimes.com ------------------------------------------------------------------ The link "http://www.nytimes.com" is hilighted by Eudora and if it is clicked on, is booby-trapped to run an executable name "BADNEWS.EXE" instead of going to the New York Times Web site. This executable is attached to the Email message but no attachment icons are displayed by Eudora at the bottom of the message. BADNEWS.EXE is a simple C program that prints out the following text: -------------------------------------------------------------------------------- This is a Windows .EXE file which was automatically executed by Eudora from an Email message. This program is harmless, but just as easily could have been a Trojan horse program that erased your hard disk, infected your computer with a virus, or stole all of your private files. The program was sent to you as a hidden attachment to the "Clinton Resigns" Email message. (No, he didn't really resign!). Because of a number of security holes in Eudora, this .EXE file was run by mistake when you clicked on the booby-trapped link to the New York Times. Reading Email in Eudora is no longer safe. As a temporary solution, we recommend immediately turning off the Microsoft viewer in Eudora: 1. Select the "Options..." command on the Eudora "Tools" menu 2. Select the "Viewing Mail" icon in the "Category" list 3. Click off "Use Microsoft's viewer" 4. Push the "OK" button. Hit enter to exit --> -------------------------------------------------------------------------------- At Phar Lap, we discovered the key holes in Eudora 4/IE4 while creating client/server applications based on HTML and JavaScript for our realtime operating system product line (http://smallest.pharlap.com and http://jshelper.pharlap.com). We have also found a number of other major security holes in Eudora 4 that are not quite as serious. We haven't fully characterized these problems yet so I can't pass along any information about them quite yet. My one question is: what is the best way to proceed to get the booby-trapped link security hole fixed? Richard M. Smith President, Phar Lap Software, Inc. PS. None of the links in this message have been booby-trapped! :)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:45 PDT