COMMAND

    Eudora

SYSTEMS AFFECTED

    Windows OSes with Eudora 4.0, 4.0.1, 4.1

PROBLEM

    Richard M. Smith found following the booby-trapped link bug.  This
    hole allows  a malicious  person to  create a  booby-trapped Email
    message that will run a Windows executable program attached to the
    message.  All that is  required to activate the booby-trap  is for
    the person reading  the Email message  to click on  a link in  the
    text of the message.   The link appears in  the message text as  a
    legitimate link to a page or article on the Web.

    The program  can potentially  cause all  sorts of  damage such  as
    erasing  the  hard  disk,  installing  a  virus  of  the  victim's
    computer,  or  stealing  private  files  and  Email messages.  The
    program to be executed can be either a standard Windows .EXE  file
    or a DOS batch file.  The booby-trapped Email message requires  no
    special skills or programmer utilities.   The text of the  message
    can be typed directly into Eudora  as HTML or copied from a  file.
    The program  to be  executed is  sent as  a standard attachment in
    Eudora.

    It is believed that the  security hole was introduced in  Eudora 4
    with  adoption  of  Microsoft's  Internet  Explorer  4  browser to
    display HTML-based Email messages.   Richard created a demo  Email
    message of  the security  hole that  runs a  harmless program that
    prints  out  some  text  about  the  problem.   It was tested on 6
    different systems  running Eudora  4.0 and  4.01 with  IE4 and the
    demo worked  on all  of these  systems.   All of  the systems were
    running Windows 95.   The security hole  likely exists on  Windows
    NT and Windows 98 also.  Take a look at:

        http://www.nytimes.com/library/tech/yr/mo/biztech/articles/07email-code.html

SOLUTION

    There does  exist a  work-around to  the problem  which is to turn
    off the Microsoft Email viewer in Eudora.  However, using this fix
    means that  users lose  the ability  to view  HTML Email messages.
    The bug also seems to go away if Internet Explorer 3 is  installed
    on the machine instead of IE4 or if Netscape Navigator is  running
    at the same time as Eudora.  Qualcomm suggests interim actions:

        1. In Eudora, go to the Tools menu and choose "Options".
        2. On  the  left  hand  side  of  the  options window,  select
           "Viewing Mail"
        3. On  the right  hand side  of the  options window, make sure
           the box next to "Use Microsoft's viewer" is UNCHECKED.
        4. Click on "OK" on the bottom of the window.

    QUALCOMM  is  offering  an  updater  for  Windows  Eudora  Pro and
    CommCenter 4.0.1 and 4.0 that addresses these issues.  Eudora  Pro
    Email, Eudora Pro CommCenter and Eudora Light are not  susceptible
    to buffer overflow security problem