Eudora Suffers Security Scare
Maker of popular e-mail client issues patch for unnamed vulnerabilities.
Matthew Broersma, Techworld.com
Qualcomm has patched serious security vulnerabilities in its Eudora e-mail client that could allow an attacker to take over a Windows system via a specially crafted message.
The bugs affect version 6.2.0 of the application, released in November, and earlier versions. Qualcomm has released an update, version 6.2.1, that fixes the bug.
John Heasman of NGS Software discovered the flaws, which affect only the Windows version. They allow an attacker to execute malicious code on a user's system--with the privileges of the user running Eudora--when a malicious e-mail is previewed or opened, or when a malicious stationery or mailbox file is opened.
NGS Software said it wouldn't release details of the flaws until May 2, to give users time to patch the application.
An advisory from Qualcomm was even less specific, saying only that the flaws "could cause Eudora to crash". However, independent security firm Secunia found the problems serious enough to merit a "highly critical" rating.
An Old Favorite
Eudora was a pioneering example of an easy-to-use e-mail application, and became popular for its advanced features. Its popularity has declined in the face of competition from clients bundled with software packages (such as Outlook and Microsoft Office) or included with operating systems (such as Mac OS X's Mail component). Additionally it now has competition from the open-source community in the form of Thunderbird, released recently by the Mozilla project, which also created the popular Firefox Web browser.
According to Secunia, since 2003 Eudora 6 has been affected by six vulnerabilities, of which just over a third allowed system access. Outlook Express 6 has had ten vulnerabilities in the same time period, of which 31 percent allowed system access. The full version of Outlook has had several additional security holes, but patches for them are bundled with Microsoft Office updates.
The security of Apple Computer's OS X mail client is also difficult to measure, as patches are included with operating system updates. The most recent OS X security fix, at the end of January, patched a relatively low-risk information disclosure bug in Mail.
Thunderbird has only recently reached its 1.0 release, but the 0.x releases suffered 11 security flaws between 2003 and 2005, according to Secunia. Only two of them allowed system access.
