Date: Fri, 7 Aug 1998 13:40:54 -0400 From: "Stout, Bill" Subject: Eudora executes (Java) URL Eudora Pro 4.0 and 4.0.1 will execute Java from a URL. "The Eudora flaw came to light just a little more than a week after security researchers announced a similar problem in versions of Microsoft's Outlook and Outlook Express e-mail programs and in Netscape's Mail program. The Eudora vulnerability was brought to light earlier this week by Richard M. Smith, president of Phar Lap Software, a Cambridge, Mass.-based maker of operating system software and products for Microsoft's MS-DOS, the operating system that predated Windows." http://www.mercurycenter.com/premium/business/docs/internet07.htm "You may have read recently that there is potential for unauthorized programs to be run on your system through the use of hostile Java scripts and/or applets. This problem affects users of Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that Eudora Light users and users of previous versions of Eudora Pro are not susceptible to these Java attacks..." http://eudora.qualcomm.com/security.html Bill Stout ------------------------------------------------------------------------- Date: Fri, 7 Aug 1998 15:12:02 -0700 From: "John D. Hardin" Subject: Re: Eudora executes (Java) URL On Fri, 7 Aug 1998, Stout, Bill wrote: > Eudora Pro 4.0 and 4.0.1 will execute Java from a URL. > > "The Eudora flaw came to light just a little more than a week after > security researchers announced a similar problem in versions of > Microsoft's Outlook and Outlook Express e-mail programs and in > Netscape's Mail program. The Eudora vulnerability was brought to light > earlier this week by Richard M. Smith, president of Phar Lap Software, a > Cambridge, Mass.-based maker of operating system software and products > for Microsoft's MS-DOS, the operating system that predated Windows." > http://www.mercurycenter.com/premium/business/docs/internet07.htm > > "You may have read recently that there is potential for unauthorized > programs to be run on your system through the use of hostile Java > scripts and/or applets. This problem affects users of Eudora Pro Email > 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that > Eudora Light users and users of previous versions of Eudora Pro are not > susceptible to these Java attacks..." > http://eudora.qualcomm.com/security.html > > Bill Stout Actually there were rumbles about this on bugtraq as far back as February. I remember because it prompted me to add active-HTML tag mangling to my procmail filter set. BTW, just in case you haven't heard yet, Drop by http://www.wolfenet.com/~jhardin/procmail-security.html Comments solicited. -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ] ----------------------------------------------------------------------- 79 days until Daylight Savings Time ends ------------------------------------------------------------------------- Date: Fri, 7 Aug 1998 16:03:24 -0500 From: Aleph One Subject: Re: Eudora security bug - executes URL On Fri, 7 Aug 1998, Stout, Bill wrote: > > Problem is the way Eudora 4x interacts with MSIE 4x and javascript. > > Please detail that on the list, since many of us can't enter NYT. Maybe > Aleph One can also expand on that. I would expect that any program with > integrated Internet capability would have similar security problems. Note: I had no access to the exploit for this vulnerability so I have not clue if this is really how it works. Its also been over a month since I looked at the IE HTML control and my memory is not the best. I do not consider myself a Windows programmer. Finally, I don't have the time to test this conjectures. Adam Shostack was the person that made me aware of the potential problems of using the MS HTML component. As far as I can tell the problem is that Eudora fails to turn off JavaScript/Java when displaying HTML messages with the IE HTML components. As you may or may not know, IE is little more than a wrapper around the MS HTML rendering component. Many other vendors, including Qualcomm, find it easy to reuse this component to display HTML instead of having to write their own HTML rendering engine or to license one from a third party. The HTML components has many options, including whether to turn on or off things like Java/JavaScript. In essence the exploit send a HTML email message to the user with an executable attached to it. The message has a link in it that executes some JavaScript (I am assuming onClick, I dont know why they would not use onLoad instead and do away with having to client on anything) which in turn executed the attached file. The are no security checks performed as this is a local file and is trusted. It should be noted that any products using the HTML component may also fail to turn of things like Java and JavaScript and may be vulnerable to similar attacks. Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ------------------------------------------------------------------------- Date: Fri, 7 Aug 1998 20:29:40 -0400 From: Steve Bellovin Subject: Re: Eudora security bug - executes URL In message , Aleph ... > As you may or may not know, IE is little more than a wrapper around the MS > HTML rendering component. Many other vendors, including Qualcomm, find it > easy to reuse this component to display HTML instead of having to write > their own HTML rendering engine or to license one from a third party. > The HTML components has many options, including whether to turn on or off > things like Java/JavaScript. > .... > > The are no security checks performed as this is a local file and is > trusted. > > It should be noted that any products using the HTML component may also > fail to turn of things like Java and JavaScript and may be vulnerable > to similar attacks. This is a crucial point. The exploit is a direct result of Microsoft's decision to merge, as much as possible, the desktop and the Net. That's a laudable idea, in many ways, and the navigation concepts are similar. But there is a crucial difference in trustworthiness, and the Microsoft notion depends on (a) perfect bookkeeping, and (b) perfect entry points. The .LNK failure in IE4 was an example of how (a) failed; the Eudora problem illustrates a failure of (b). Both notions are fatally flawed, in that they require far too much trust in far too many pieces of code. I should note that (a)-type failures have been seen in many other cases, notably sendmail. Sendmail treats program execution as a an address; for security, it tries to restrict it to alias expansion. But that means that every place an address can appear must check to ensure that it isn't program delivery. Of course, there are so many different places that addresses can appear that it was inevitable that not all of them would be checked -- and we've seen the results many different times. By contrast, the upas mailer developed at Bell Labs circa 1984 does execution as part of local delivery. Addresses per se cannot refer to programs, even by alias expansion. And no, that wasn't an accident; it was a deliberate design decision by Dave Presotto. ------------------------------------------------------------------------- Date: Fri, 7 Aug 1998 11:32:56 -0700 From: Anthony Roybal Subject: Re: New Eudora bug ? Here is Qualcomm's alert from: Anthony Eudora Pro Security Alert You may have read recently that there is potential for unauthorized programs to be run on your system through the use of hostile Java scripts and/or applets. This problem affects users of the Windows versions of Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that Eudora Light users, users of previous versions of Eudora Pro, and Macintosh users are not susceptible to these Java attacks. QUALCOMM became aware of this problem yesterday (8/6/98) and will be offering an updater for Windows Eudora Pro and CommCenter 4.0.1 and 4.0 within the next few hours that addresses these issues and will prevent these types of attacks. QUALCOMM will also make available a new Eudora Pro 4.1 beta that contains these fixes by Friday afternoon Pacific Standard Time. Until the new software is posted, you can protect yourself by turning off the Microsoft viewer from within Eudora. To do this, follow these steps: 1.In Eudora, go to the Tools menu and choose "Options". 2.On the left hand side of the options window, select "Viewing Mail" 3.On the right hand side of the options window, make sure the box next to "Use Microsoft's viewer" is UNCHECKED. 4.Click on "OK" on the bottom of the window. Eudora Pro Email, Eudora Pro CommCenter and Eudora Light are not susceptible to buffer overflow security problem QUALCOMM rigorously tested its line of Eudora email software after becoming aware of the buffer overflow security problems recently found in Microsoft and Netscape email programs. QUALCOMM is pleased to announce that its Eudora email products are not susceptible to the types of attacks that can harm the computers of users of these other products. QUALCOMM tested Eudora Pro and Eudora CommCenter versions 4.0, as well as Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh platforms. In all cases, Eudora does not allow any unauthorized programs to be automatically executed on a user's system. At 6:19 PM +0200 8/7/98, Patrick Oonk wrote regarding "New Eudora bug ?": > http://www.nytimes.com/library/tech/98/08/biztech/articles/07email-code.html > > SAN FRANCISCO -- Just days after a serious security flaw was revealed in two > popular electronic mail programs, an equally troubling vulnerability has been > discovered in Eudora, the most widely used of all e-mail software. > > The Eudora flaw makes it possible for a malicious computer user with >little or > no programming expertise to booby-trap an e-mail message by inserting a > seemingly harmless link to an Internet location that in fact executes > malignant code. This could permit an attacker to destroy or steal data or to > otherwise tamper with a personal computer. -- Anthony Roybal Information Systems & Technology University of California at Berkeley ------------------------------------------------------------------------- Date: Sat, 8 Aug 1998 01:35:42 -0700 From: "John D. Hardin" Subject: Re: Eudora executes (Java) URL On Fri, 7 Aug 1998, John D. Hardin wrote: > Actually there were rumbles about this on bugtraq as far back as February. > I remember because it prompted me to add active-HTML tag mangling to my > procmail filter set. > > BTW, just in case you haven't heard yet, > > > Drop by http://www.wolfenet.com/~jhardin/procmail-security.html > > > Comments solicited. In the filter that attempts to sanitize tags, the following Perl regular expression occurs: s/]+("(\\.|[^"])*")?)*)ONLOAD/ reports that on SunOS 4.1.3 + Perl 5.004 this RE never exits, leading to massive system loads when mail containing HTML is being processed. I have confirmed it works properly under Linux 2.0.33 + Perl 5.004_01, SunOS 4.1.4 + Perl 5.004_04 and Alpha OSF/1 V3.0 + Perl 5.004_04. Can anyone confirm these results? I have modified the released kit to use a simpler RE by default and offer this as an alternative after testing. If anybody else experiences a problem with this RE, either update to the current kit or delete the offending line from the HTML filter perl script. -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ] ----------------------------------------------------------------------- 78 days until Daylight Savings Time ends