UPDATE - Glitches Bedevil Hotmail, Eudora

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

[Fair use for education and research purpose only]

Title: Glitches Bedevil Hotmail, Eudora

Qualcomm Warns of Eudora Security Hole

BY PAUL FESTA Staff Writer, CNET News.com April 27, 2000, 3:10 p.m. PT

Qualcomm is urging people who use Eudora to guard against a potentially dangerous security vulnerability.

Normally, before Eudora and similar email applications will run an executable file attached to an email message, they will present a warning that asks whether the recipient wants to risk running untrusted code on the computer. But in an exploit devised by bug hunter and anticontent-filtering advocate Bennett Haselton, a hostile email sender can circumvent that warning.

"This is a potential way to get around Eudora's ability to warn people that something dangerous could happen," said Jeff Beckley, technical lead for Windows Eudora at Qualcomm.

Haselton's exploit works by attaching an executable (".exe") file and linking to that file from the body of the message through another attached file, this one of the Windows shortcut file type (".lnk").

If someone were to click directly on an ".exe" file, Eudora would flash a warning. But routed through the ".lnk" file, the executable gets a free pass.

Moreover, Haselton's demonstration works by disguising the ".lnk" extension, making the ruse effective against more savvy individuals.

Beckley said Qualcomm would add ".lnk" to its list of file extensions that earn warnings in the next iteration of Eudora for the Windows operating system, version 4.3.2. Beckley described that version as "weeks away."

In the meantime, people can take matters into their own hands by changing security clearance settings themselves. Those with Windows Eudora 4.2 and higher can copy this link into a Eudora composition message and click on the "OK" button that follows: x-Eudora-option:WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|.

Others who use Eudora should find the "Eudora.ini" file in their Eudora program file and add "WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|" after the line that has the text "Settings."

LINK ====================

-- (Dee360Degree@aol.com), April 28, 2000


Moderation questions? read the FAQ