Bug Hunter Finds Security Hole in Eudora

Qualcomm Inc. has uncovered a potentially dangerous security vulnerability in its Eudora e-mail program that could open a door for hackers to run code on an another person’s computer.

The weakness was discovered by Bennett Haselton, a Webmaster for Peacefire.org, who notified Qualcomm (QCOM) of his discovery. Haselton, a bug hunter and anticontent-filtering advocate, designed an exploit demonstrating that a hacker can circumvent Eudora’s warning about running untrusted code on a computer. Eudora, and similar e-mail applications, usually presents a warning before it will run an executable file attached to an e-mail message.

Haselton’s exploit, fully explained here, looks like an ordinary plain-text message containing a hyperlink. The hyperlink could point to an innocuous-looking URL. In Eudora, however, a hacker can format the hyperlink so it appears to point to one place but really leads somewhere else. When the user clicks on the hyperlink, it launches a Windows shortcut file (.lnk). The .lnk file is attached to an executable (.exe) file which it causes to run when launched. The .lnk and .exe files are hidden using simple HTML code. By using the .lnk file to run the .exe file, the exploit bypasses Eudora’s warning system.

Qualcomm said its next iteration of Eudora for Windows, version 4.3.2, will correct the flaw, though that version is still “weeks away.”

Meanwhile, Eudora users can fix the problem themselves by editing the Eudora.ini file to add the following line: WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk to their “[Settings]” section (the default is to warn for all these extensions except the .lnk).