MISC> [DUC] ARTICLE: Eudora "Stealth Attachment" Security Hole Discovered

Gleason Sackmann (gleason@rrnet.com)
Mon, 15 May 2000 08:01:23 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gleason Sackmann: "MISC> International Summer Language School in Siberia!!!"
Previous message: Gleason Sackmann: "MISC> Virtual Photochemistry Poster Session"

From: "Karen Ellis" <guavaberry@earthlink.net>
To: "DUC" <duc@egroups.com>
Sent: Monday, May 15, 2000 6:41 AM
Subject: [DUC] ARTICLE: Eudora "Stealth Attachment" Security Hole Discovered

From: Bennett Haselton

Peacefire has discovered a security hole in all versions of Eudora mail for
Windows, that can allow a hacker to execute code on a user's machine, by
sending the user e-mail and having them click on a link:

http://www.peacefire.org/security/stealthattach/

(For example, a Eudora user would see this message with the URL above made
into a hyperlink so that you can click on it and load it into your browser.
Using the "stealth attachment" security exploit, you can force code to run
on the user's machine when they click on the link. Don't worry, *this*
message is safe :-) But you can go to the above URL and request a
"demonstration mail" to be sent to you.)

Security holes that allow you to run code on a remote user's machine just by
sending them e-mail, are extremely dangerous -- a hacker could use this to
steal or erase any classified data on a remote user's hard drive, even if
that user were behind a corporate firewall and had anti-virus software
running. A virus writer could use the exploit to write a virus that could
spread to almost all Eudora users -- numbering in the millions -- and
potentially do hundreds of millions of dollars' worth of damage. (Unlike
most such tricks, this exploit does not require the user to do anything
"naive", like run an .exe that is sent to them as an attachment.) USA Today
reported last year on the "BubbleBoy" virus, which similarly used a security
hole in Microsoft Outlook to cause code to run on a user's machine, simply
by reading an e-mail message:
http://www.usatoday.com/life/cyber/tech/ctg633.htm

Unfortunately, unlike the security hole that Peacefire discovered last week:
http://www.peacefire.org/security/jscookies/
http://news.cnet.com/news/0-1005-200-1717169.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html
http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm

this security hole doesn't involve any cool industry buzzwords like
"javascript" or "cookies". This one just involves -- *YAWN* --
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
The Educational CyberPlayGround
<http://www.edu-cyberpg.com>
Diversity University Collaboratory Mailing List
<http://www.edu-cyberpg.com/diversity.html>
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
New York Times, USA Today , MSNBC.com Hot Site Pick Award
USA Today Best Bets For Educators Award
Philadelphia Inquirer http://education.philly.com/
The crisp and clean playground walks technophobic
teachers and parents through crystal-clear instructions.
Provides teachers, parents, librarians, home
schoolers and regular folks a "webliography" with
over 6000 links to pertinent topics and subtopics.
Cool choice of site maps to browse from.

Next message: Gleason Sackmann: "MISC> International Summer Language School in Siberia!!!"
Previous message: Gleason Sackmann: "MISC> Virtual Photochemistry Poster Session"