Home page logo
/

interesting-people logo Interesting People mailing list archives

IP: Eudora "Stealth Attachment" Security Hole Discovered from RISKS
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 14 May 2000 15:25:25 -0400



Date: Thu, 27 Apr 2000 18:35:39 -0500
From: Bennett Haselton <bennett () peacefire org>
Subject: Peacefire: Eudora "Stealth Attachment" Security Hole Discovered

Peacefire has discovered a security hole in all versions of Eudora mail for
Windows, that can allow a hacker to execute code on a user's machine, by
sending the user e-mail and having them click on a link:

        http://www.peacefire.org/security/stealthattach/

(For example, a Eudora user would see this message with the URL above made
into a hyperlink so that you can click on it and load it into your browser.
Using the "stealth attachment" security exploit, you can force code to run
on the user's machine when they click on the link.  Don't worry, *this*
message is safe :-) But you can go to the above URL and request a
"demonstration mail" to be sent to you.)

Security holes that allow you to run code on a remote user's machine just by
sending them e-mail, are extremely dangerous -- a hacker could use this to
steal or erase any classified data on a remote user's hard drive, even if
that user were behind a corporate firewall and had anti-virus software
running.  A virus writer could use the exploit to write a virus that could
spread to almost all Eudora users -- numbering in the millions -- and
potentially do hundreds of millions of dollars' worth of damage.  (Unlike
most such tricks, this exploit does not require the user to do anything
"naive", like run an .exe that is sent to them as an attachment.)  USA Today
reported last year on the "BubbleBoy" virus, which similarly used a security
hole in Microsoft Outlook to cause code to run on a user's machine, simply
by reading an e-mail message:
http://www.usatoday.com/life/cyber/tech/ctg633.htm

Unfortunately, unlike the security hole that Peacefire discovered last
week:
        http://www.peacefire.org/security/jscookies/
        http://news.cnet.com/news/0-1005-200-1717169.html
        http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html
        http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm

this security hole doesn't involve any cool industry buzzwords like
"javascript" or "cookies".  This one just involves -- *YAWN* --
e-mail.  That is, like, *so* 20th-century.  Sorry if this is inconvenient
for journalists writing about this stuff :-)

bennett () peacefire org     (425) 649 9024      http://www.peacefire.org


  By Date           By Thread  

Current thread:
  • IP: Eudora &quot;Stealth Attachment&quot; Security Hole Discovered from RISKS Dave Farber (May 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]