‘Critical’ Buffer Overflow Found in Eudora

Security researchers have discovered a “highly critical” security flaw in QUALCOMM’s Eudora e-mail client that could lead to the execution of malicious code on vulnerable systems.

Paul Szabo, a computer systems officer at the University of Sydney, reported the flaws in versions 6.1, 6.0.3 and 5.2.1 of Eudora and warned that Windows users were at risk of complete system takeover.

According to Szabo’s advisory, the vulnerability is due to a boundary error within the URL-handling functionality. A malicious hacker could exploit the hole with an e-mail containing a specially crafted link.

“Attachments may be spoofed, even in the latest 6.1 version. Be careful about forwarding messages with attachments, as sensitive/private documents may be sent silently. Be careful about clicking on attachments,” said Szabo, who publishes the Secure Your PC site.

Independent research firm Secunia has tagged a “highly critical” rating on the flaw and recommends that Eudora users be wary of other serious vulnerabilities in the mail client.

Officials at QUALCOMM could not be reached for comment at press time.

The San Diego-based QUALCOMM offers Eudora in two versions — a paid commercial option for $50 and an ad-supported (light) mode for free. The company has invested
to add anti-spam tools for Windows and Mac users but a scan of security mailing lists shows the product has been riddled with security issues.

Eudora was created by Steve Dorner at the University of Illinois and released as one of the first Macintosh e-mail clients as UIUCMail. It was originally meant as a freeware product until QUALCOMM acquired the rights to Eudora in 1991 for internal use and eventually extended development to the Windows platform.

News Around the Web