Bug Hunter Finds Security Hole in Eudora
Page 1 of 1
The weakness was discovered by Bennett Haselton, a Webmaster for Peacefire.org, who notified Qualcomm (QCOM) of his discovery. Haselton, a bug hunter and anticontent-filtering advocate, designed an exploit demonstrating that a hacker can circumvent Eudora's warning about running untrusted code on a computer. Eudora, and similar e-mail applications, usually presents a warning before it will run an executable file attached to an e-mail message.
Haselton's exploit, fully explained here, looks like an ordinary plain-text message containing a hyperlink. The hyperlink could point to an innocuous-looking URL. In Eudora, however, a hacker can format the hyperlink so it appears to point to one place but really leads somewhere else. When the user clicks on the hyperlink, it launches a Windows shortcut file (.lnk). The .lnk file is attached to an executable (.exe) file which it causes to run when launched. The .lnk and .exe files are hidden using simple HTML code. By using the .lnk file to run the .exe file, the exploit bypasses Eudora's warning system.
Qualcomm said its next iteration of Eudora for Windows, version 4.3.2, will correct the flaw, though that version is still "weeks away."