COMMAND

    Qualcomm Eudora Spellchecker

SYSTEMS AFFECTED

    Qualcomm Eudora 3.x Spellchecker (Windows 95/98/NT)

PROBLEM

    Following  is  based  on  Attrition's  Little  Errata Report Team.
    Systems in  dangeour are  systems running  Microsoft Windows 95/98
    and NT,  using Qualcomm's  Eudora v3.x  with the  NAI PGP plug-in.
    Unconfirmed reports that MacOS versions are similarly affected.

    Qualcomm sells  and distributes  a Mail  User Agent  (MUA) package
    called Eudora which supports a number of plug-in utilities, one of
    which is the  Network Associates (NAI)  Pretty Good Privacy  (PGP)
    suite  of  tools  for  digital  signatures  and  encryption.  This
    advisory  specifically  addresses  a  bug  which  exists  in   the
    application of  the Eudora  spellchecking tool  and its  impact on
    the NAI PGP plug-in for Eudora v3.x.

    Qualcomm's Eudora Mail User Agent v3.x, when used in concert  with
    NAI's PGP plugin, exhibits  a counterproductive behavior when  the
    user digitally signs their outgoing message.  A majority of Eudora
    users, upon first using Eudora, elect to have spellcheck performed
    when they send their  e-mail.  This is  all well and good,  unless
    the PGP plug-in (through no  fault of NAI's work) is  brought into
    play.   Upon  completion  of  the  message,  the  user toggles the
    PGP-sign and/or  the PGP-encrypt  button and  then elects  to send
    the message.  It is at this point that the bug presents itself.

    Rather than performing spellchecking first, Eudora invokes PGP  to
    sign  or  encrypt  the   message  as  specified,  *then*   invokes
    spellchecking.   A series  of screen  shots have  been taken  as a
    proof-of-bug on this report and are available at:

        http://www.attrition.org/security/advisory/attrition/attrition.1999-09-17.eudora3x.proof.html

    The end result of this bug is that the user is compelled to remedy
    spelling errors  and otherwise  inaccurate data  *after* they have
    digitally  signed  the  document,  thus  altering  the content and
    invalidating the  PGP signature.   Eudora's spell  checker goes  a
    step  further  and  even  attempts  to "correct" the PGP signature
    itself!

    As most Windows users do not fully understand how PGP works,  they
    will likely attribute to system error any reports they receive  of
    Bad Signatures or unrecoverable encrypted files when they  receive
    complaints of their "corrected" signed and encrypted messages.  It
    is also highly likely that a chronic history of this sort of  data
    corruption  will  compel  users  to  either  outright  dismiss Bad
    Signatures as  inconsequential, or  they will  abandon the  use of
    PGP encryption  and signatures  altogether.   This unfortunate set
    of circumstances  defeats the  use of  PGP encryption  and content
    authentication entirely.

SOLUTION

    Qualcomm Eudora  v4.x is  not affected.   Users are  encouraged to
    either  switch  mail  user   agent  software,  disable   automatic
    spellchecking, or upgrade to Eudora v4.x if they wish to  continue
    using  the  PGP  plug-in  for  Eudora.  Other alternatives include
    performing spellchecks of mail  in an external application  before
    pasting  into  the  Eudora  message  body.   It  is  NOT recommend
    abandoning any use of PGP in  any way.  As previously stated,  the
    fault is not with NAI PGP.