Eudora TM Search Contact Us
Support - Technical Support Resources and Knowledgebase User Forums - See users' online questions and answers about Eudora products, or post your own questions to the Eudora Community. Developers - Resources for Developers writing code to interact with Eudora Press - Press Releases and News Articles Testimonials - Read what others are saying about Eudora
Qualcomm

Eudora Email Security Advisory


January 25, 2005
Recently, John Heasman of NGSSoftware discovered some security vulnerabilities in Windows Eudora that could cause Eudora to crash. These vulnerabilities affect Windows Eudora versions 6.2.0 and older. These problems were fixed in the Eudora 6.2.1 release.

This problem does not affect Macintosh Eudora.

Additionally, the security vulnerabilities mentioned in the September 26, 2003 advisory (below) have been addressed in recent updates to Windows Eudora. The current version of Eudora (6.2.1 as of this writing) is not vulnerable to any of the potential security exploits listed below.


September 26, 2003 — Multiple Vulnerabilities
Recently, various security-related web pages have posted warnings of potential vulnerabilities in Windows Eudora. One such warning can be viewed here: http://www.secunia.com/advisories/9729/.

Secunia Advisory SA9729 specifically references two issues.

First issue:

    "A boundary error when handling overly long filenames (250 characters or longer) can be exploited to cause a buffer overflow. This crashes Eudora but may potentially also allow exection [sic] of arbitrary code."

The Eudora developers have investigated and fixed this issue. The fix will appear in our upcoming 6.0.1 release. Although the possibility of "potentially also allow exection [sic] of arbitrary code" is only speculation, the Eudora team takes this issue (and indeed all security issues) seriously.

Second issue:

    "It is possible to cause Eudora to show a different name than the actual attachment name. This may be exploited to trick users into opening malicious files."

The Eudora developers are currently in the process of investigating this issue. While it may be possible to send a malicious attachment to a Eudora user and have Eudora show a different attachment name, actually launching that attachment from within Eudora will subject the attachment to Eudora's security protections as configured in the Extra Warnings settings panel. If the "Launch a program from a message" option is checked, which is the default, the user is warned of the potential harm of launching the attachment.

It is always recommended that users should not blindly open attachments from people they do not know. By default, Eudora warns the user when launching a potentially harmful attachment from within a message and will also warn the user if the attachment is launched from within Windows Explorer.


September 25, 2000 — Word 2000
QUALCOMM has become aware of a potential security risk involving harmful .dll files when Windows versions of Eudora email software are used to launch Word files by users of Microsoft Word 2000. No actual incidents have been reported. Eudora 5.0.1, which will be available for download soon, includes a fix.

Users of Word 2000 should install Eudora 5.0.1 as soon as it becomes available. In the meantime, users of Word 2000 should launch that program outside of Eudora first when they have a Word attachment in Eudora they'd like to launch. This will load the proper .dll files for the Word 2000 application.


August 2000 — Mac Password
Qualcomm has become aware of a bug involving saved passwords in Eudora 4.3.2 for the Macintosh. For best password security, users who do not use the "save password" option should download and install the 4.3.3 updater or upgrade to the new Eudora 5.0

This bug only affects Eudora 4.3.2 for the Macintosh.


April 2000 — File Extensions
QUALCOMM urges you always to be careful with email from people you do not know and use caution when launching attachments or URLs.

Cyber attackers continue to look for creative ways of using email to execute malicious attacks. One possible method that recently has been described is to attach an executable (".exe") file and link to that file from the body of an email message through another attached file by using the Windows shortcut file type (".lnk"). The LOVELETTERFORYOU virus that uses the “.vbs” file extension is another. These forms of attack can work in any Windows email client that allows users to launch files from within an email message.

By default, Windows Eudora 4.2 and above already warn you when you seek to launch a wide array of attachments. The following instructions can be used in Eudora 4.2.1 and above to change Eudora's settings to also warn for .lnk and .vbs files:

  1. Copy this entire URL (including the brackets)
    <x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|>
  2. Create a new message in Eudora and paste the URL into the body of the new message
  3. Alt-Click the URL to bring up the Change Option dialog
  4. Check to make sure the dialog's New Value field contains this:      exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|
    with no spaces and ending with a vertical bar, then click "OK"
  5. If you see "%" symbols in the New Value field, edit the field to match the value in step 4.

For versions of Eudora earlier than 4.2.1, follow these instructions: Close Eudora, then open the "Eudora.ini" file in your Eudora program folder with a text editor, such as Notepad. Find the line that has the text "[Settings]" on it, and add the following line right after that one:
      WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|vbs|

Make sure you use the above text exactly, including the vertical bar that follows "vbs".

You also can use this syntax with either method above to designate other file extensions you’d like to be warned about. Simply add the extension and end with a vertical bar.

If you are using a version of Eudora earlier than 4.2.1, we recommend you upgrade to Eudora 5.0. The full application is available for free when used in Sponsored mode.


March 1999 — JavaScripts
A potential security risk exists in Eudora Pro 3.0 or later for both Windows and Macintosh versions. The risk surfaces when a cyberattacker sends you an email message containing specific kinds of JavaScript and you click on destructive links contained in the message.

What can you do to be safe? We recommend Eudora users do one of two things:

  • Turn off JavaScript in your default browser. Please refer to your browser's documentation for instructions.
  • Create a new Eudora Attachments directory. Click here for instructions.

 

| Home | Online Support | Open Source Development | User Forums | Contact Webmaster |

| QUALCOMM | Section 508 | Privacy Statement | Terms of Use |


© 1999-2009 QUALCOMM Incorporated. All rights reserved. QUALCOMM and Eudora are registered trademarks of QUALCOMM Incorporated. All other trademarks are the property of their respective owners.