[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: Eudora "Stealth Attachment" Security Hole Discovered from RISKS
>Date: Thu, 27 Apr 2000 18:35:39 -0500 >From: Bennett Haselton <bennett@peacefire.org> >Subject: Peacefire: Eudora "Stealth Attachment" Security Hole Discovered > >Peacefire has discovered a security hole in all versions of Eudora mail for >Windows, that can allow a hacker to execute code on a user's machine, by >sending the user e-mail and having them click on a link: > > http://www.peacefire.org/security/stealthattach/ > >(For example, a Eudora user would see this message with the URL above made >into a hyperlink so that you can click on it and load it into your browser. >Using the "stealth attachment" security exploit, you can force code to run >on the user's machine when they click on the link. Don't worry, *this* >message is safe :-) But you can go to the above URL and request a >"demonstration mail" to be sent to you.) > >Security holes that allow you to run code on a remote user's machine just by >sending them e-mail, are extremely dangerous -- a hacker could use this to >steal or erase any classified data on a remote user's hard drive, even if >that user were behind a corporate firewall and had anti-virus software >running. A virus writer could use the exploit to write a virus that could >spread to almost all Eudora users -- numbering in the millions -- and >potentially do hundreds of millions of dollars' worth of damage. (Unlike >most such tricks, this exploit does not require the user to do anything >"naive", like run an .exe that is sent to them as an attachment.) USA Today >reported last year on the "BubbleBoy" virus, which similarly used a security >hole in Microsoft Outlook to cause code to run on a user's machine, simply >by reading an e-mail message: >http://www.usatoday.com/life/cyber/tech/ctg633.htm > >Unfortunately, unlike the security hole that Peacefire discovered last >week: > http://www.peacefire.org/security/jscookies/ > http://news.cnet.com/news/0-1005-200-1717169.html > http://www.zdnet.com/zdnn/stories/news/0,4586,2553337,00.html > http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm > >this security hole doesn't involve any cool industry buzzwords like >"javascript" or "cookies". This one just involves -- *YAWN* -- >e-mail. That is, like, *so* 20th-century. Sorry if this is inconvenient >for journalists writing about this stuff :-) > >bennett@peacefire.org (425) 649 9024 http://www.peacefire.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC