Date: Fri, 7 Aug 1998 13:40:54 -0400
From: "Stout, Bill" <StoutB@PIOS.COM>
Subject: Eudora executes (Java) URL
Eudora Pro 4.0 and 4.0.1 will execute Java from a URL.
"The Eudora flaw came to light just a little more than a week after security
researchers announced a similar problem in versions of Microsoft's Outlook
and Outlook Express e-mail programs and in Netscape's Mail program. The
Eudora vulnerability was brought to light earlier this week by Richard M.
Smith, president of Phar Lap Software, a Cambridge, Mass.-based maker of
operating system software and products for Microsoft's MS-DOS, the operating
system that predated Windows."
http://www.mercurycenter.com/premium/business/docs/internet07.htm
"You may have read recently that there is potential for unauthorized
programs to be run on your system through the use of hostile Java scripts
and/or applets. This problem affects users of Eudora Pro Email 4.0 and
4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that Eudora
Light users and users of previous versions of Eudora Pro are not susceptible
to these Java attacks..." http://eudora.qualcomm.com/security.html
Bill Stout
-------------------------------------------------------------------------
Date: Fri, 7 Aug 1998 15:12:02 -0700
From: "John D. Hardin" <jhardin@WOLFENET.COM>
Subject: Re: Eudora executes (Java) URL
On Fri, 7 Aug 1998, Stout, Bill wrote:
> Eudora Pro 4.0 and 4.0.1 will execute Java from a URL.
>
> "The Eudora flaw came to light just a little more than a week after
> security researchers announced a similar problem in versions of
> Microsoft's Outlook and Outlook Express e-mail programs and in
> Netscape's Mail program. The Eudora vulnerability was brought to light
> earlier this week by Richard M. Smith, president of Phar Lap Software, a
> Cambridge, Mass.-based maker of operating system software and products
> for Microsoft's MS-DOS, the operating system that predated Windows."
> http://www.mercurycenter.com/premium/business/docs/internet07.htm
>
> "You may have read recently that there is potential for unauthorized
> programs to be run on your system through the use of hostile Java
> scripts and/or applets. This problem affects users of Eudora Pro Email
> 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and 4.0.1. Note that
> Eudora Light users and users of previous versions of Eudora Pro are not
> susceptible to these Java attacks..."
> http://eudora.qualcomm.com/security.html
>
> Bill Stout
Actually there were rumbles about this on bugtraq as far back as February.
I remember because it prompted me to add active-HTML tag mangling to my
procmail filter set.
BTW, just in case you haven't heard yet,
<PLUG TYPE="shameless">
Drop by http://www.wolfenet.com/~jhardin/procmail-security.html
</PLUG>
Comments solicited.
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
79 days until Daylight Savings Time ends
-------------------------------------------------------------------------
Date: Fri, 7 Aug 1998 16:03:24 -0500
From: Aleph One <aleph1@DFW.NET>
Subject: Re: Eudora security bug - executes URL
On Fri, 7 Aug 1998, Stout, Bill wrote:
> > Problem is the way Eudora 4x interacts with MSIE 4x and javascript.
>
> Please detail that on the list, since many of us can't enter NYT. Maybe
> Aleph One can also expand on that. I would expect that any program with
> integrated Internet capability would have similar security problems.
Note: I had no access to the exploit for this vulnerability so I have not
clue if this is really how it works. Its also been over a month since I
looked at the IE HTML control and my memory is not the best. I do not
consider myself a Windows programmer. Finally, I don't have the time to
test this conjectures. Adam Shostack was the person that made me aware of
the potential problems of using the MS HTML component.
As far as I can tell the problem is that Eudora fails to turn off
JavaScript/Java when displaying HTML messages with the IE HTML components.
As you may or may not know, IE is little more than a wrapper around the MS
HTML rendering component. Many other vendors, including Qualcomm, find it
easy to reuse this component to display HTML instead of having to write
their own HTML rendering engine or to license one from a third party.
The HTML components has many options, including whether to turn on or off
things like Java/JavaScript.
In essence the exploit send a HTML email message to the user with an
executable attached to it. The message has a link in it that executes
some JavaScript (I am assuming onClick, I dont know why they would not use
onLoad instead and do away with having to client on anything) which in
turn executed the attached file.
The are no security checks performed as this is a local file and is
trusted.
It should be noted that any products using the HTML component may also
fail to turn of things like Java and JavaScript and may be vulnerable
to similar attacks.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
-------------------------------------------------------------------------
Date: Fri, 7 Aug 1998 20:29:40 -0400
From: Steve Bellovin <smb@RESEARCH.ATT.COM>
Subject: Re: Eudora security bug - executes URL
In message <Pine.SUN.4.01.9808071550190.7443-100000@dfw.nationwide.net>, Aleph
...
> As you may or may not know, IE is little more than a wrapper around the MS
> HTML rendering component. Many other vendors, including Qualcomm, find it
> easy to reuse this component to display HTML instead of having to write
> their own HTML rendering engine or to license one from a third party.
> The HTML components has many options, including whether to turn on or off
> things like Java/JavaScript.
>
....
>
> The are no security checks performed as this is a local file and is
> trusted.
>
> It should be noted that any products using the HTML component may also
> fail to turn of things like Java and JavaScript and may be vulnerable
> to similar attacks.
This is a crucial point. The exploit is a direct result of Microsoft's
decision to merge, as much as possible, the desktop and the Net.
That's a laudable idea, in many ways, and the navigation concepts are
similar. But there is a crucial difference in trustworthiness, and
the Microsoft notion depends on (a) perfect bookkeeping, and (b) perfect
entry points. The .LNK failure in IE4 was an example of how (a) failed;
the Eudora problem illustrates a failure of (b). Both notions are
fatally flawed, in that they require far too much trust in far too many
pieces of code.
I should note that (a)-type failures have been seen in many other cases,
notably sendmail. Sendmail treats program execution as a an address;
for security, it tries to restrict it to alias expansion. But that
means that every place an address can appear must check to ensure that
it isn't program delivery. Of course, there are so many different
places that addresses can appear that it was inevitable that not all
of them would be checked -- and we've seen the results many different
times. By contrast, the upas mailer developed at Bell Labs circa 1984
does execution as part of local delivery. Addresses per se cannot refer
to programs, even by alias expansion. And no, that wasn't an accident;
it was a deliberate design decision by Dave Presotto.
-------------------------------------------------------------------------
Date: Fri, 7 Aug 1998 11:32:56 -0700
From: Anthony Roybal <tony@UCLINK.BERKELEY.EDU>
Subject: Re: New Eudora bug ?
Here is Qualcomm's alert from:
<http://eudora.qualcomm.com/security.html>
Anthony
Eudora Pro Security Alert
You may have read recently that there is potential for unauthorized
programs to be run on your system through the use of hostile Java scripts
and/or applets. This problem affects users of the Windows versions of
Eudora Pro Email 4.0 and 4.0.1, as well as Eudora Pro CommCenter 4.0 and
4.0.1. Note that Eudora Light users, users of previous versions of Eudora
Pro, and Macintosh users are not susceptible to these Java attacks.
QUALCOMM became aware of this problem yesterday (8/6/98) and will be
offering an updater for Windows Eudora Pro and CommCenter 4.0.1 and 4.0
within the next few hours that addresses these issues and will prevent
these types of attacks. QUALCOMM will also make available a new Eudora Pro
4.1 beta that contains these fixes by Friday afternoon Pacific Standard
Time.
Until the new software is posted, you can protect yourself by turning off
the Microsoft viewer from within Eudora. To do this, follow these steps:
1.In Eudora, go to the Tools menu and choose "Options". 2.On the left hand
side of the options window, select "Viewing Mail" 3.On the right hand side
of the options window, make sure the box next to "Use Microsoft's viewer"
is UNCHECKED.
4.Click on "OK" on the bottom of the window.
Eudora Pro Email, Eudora Pro CommCenter and Eudora Light are not
susceptible to buffer overflow security problem
QUALCOMM rigorously tested its line of Eudora email software after becoming
aware of the buffer overflow security problems recently found in Microsoft
and Netscape email programs. QUALCOMM is pleased to announce that its
Eudora email products are not susceptible to the types of attacks that can
harm the computers of users of these other products.
QUALCOMM tested Eudora Pro and Eudora CommCenter versions 4.0, as well as
Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh
platforms. In all cases, Eudora does not allow any unauthorized programs to
be automatically executed on a user's system.
At 6:19 PM +0200 8/7/98, Patrick Oonk wrote regarding "New Eudora bug ?":
> http://www.nytimes.com/library/tech/98/08/biztech/articles/07email-code.html
>
> SAN FRANCISCO -- Just days after a serious security flaw was revealed in two
> popular electronic mail programs, an equally troubling vulnerability has been
> discovered in Eudora, the most widely used of all e-mail software.
>
> The Eudora flaw makes it possible for a malicious computer user with
>little or
> no programming expertise to booby-trap an e-mail message by inserting a
> seemingly harmless link to an Internet location that in fact executes
> malignant code. This could permit an attacker to destroy or steal data or to
> otherwise tamper with a personal computer.
--
Anthony Roybal
Information Systems & Technology
University of California at Berkeley
<mailto:ar@socrates.berkeley.edu>
<http://socrates.Berkeley.EDU/~ar>
-------------------------------------------------------------------------
Date: Sat, 8 Aug 1998 01:35:42 -0700
From: "John D. Hardin" <jhardin@WOLFENET.COM>
Subject: Re: Eudora executes (Java) URL
On Fri, 7 Aug 1998, John D. Hardin wrote:
> Actually there were rumbles about this on bugtraq as far back as February.
> I remember because it prompted me to add active-HTML tag mangling to my
> procmail filter set.
>
> BTW, just in case you haven't heard yet,
>
> <PLUG TYPE="shameless">
> Drop by http://www.wolfenet.com/~jhardin/procmail-security.html
> </PLUG>
>
> Comments solicited.
In the filter that attempts to sanitize <BODY ONLOAD="exploit"> tags, the
following Perl regular expression occurs:
s/<BODY\s+(([^">]+("(\\.|[^"])*")?)*)ONLOAD/<BODY $1 DEFANGED-ONLOAD/gi;
Dick St. Peters <stpeters@NetHeaven.com> reports that on SunOS 4.1.3 +
Perl 5.004 this RE never exits, leading to massive system loads when mail
containing HTML is being processed.
I have confirmed it works properly under Linux 2.0.33 + Perl 5.004_01,
SunOS 4.1.4 + Perl 5.004_04 and Alpha OSF/1 V3.0 + Perl 5.004_04.
Can anyone confirm these results?
I have modified the released kit to use a simpler RE by default and offer
this as an alternative after testing.
If anybody else experiences a problem with this RE, either update to the
current kit or delete the offending line from the HTML filter perl script.
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
78 days until Daylight Savings Time ends