******************************************************************************
             ------               -----   -----  ---     -----
             |      ----- ----   |          |    |  |   |
             |---   |     |   |  |          |    |  |   |
             |      |--   |   |  |          |    |--    |
             |      |     |   |  |          |    | \    |
             |      ----- ----    -----   -----  |  \    -----

                               A D V I S O R Y

          FA-98.79
******************************************************************************
Topic: Eudora Pro E-Mail Attachments Vulnerability
Source: CIAC

Creation Date: August 11, 1998
Last Updated:


To aid in the wide distribution of essential security information,
FedCIRC is forwarding the following information from CIAC bulletin I-083.
FedCIRC urges you to act on this information as soon as possible.

If you have any questions, please contact FedCIRC:

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov



=======================FORWARDED TEXT STARTS HERE============================

[  For Public Release  ]
-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Eudora Pro E-Mail Attachments Vulnerability

August 11, 1998 22:00 GMT                                         Number I-083
______________________________________________________________________________
PROBLEM:       A vulnerability exists which allows a malicious e-mail message 
               to possibly execute an attachment by hiding the name of the 
               attachment within a Uniform Resource Locator (URL). If a user 
               clicks on the URL the attachment could automatically execute. 
PLATFORM:      Qualcomm's Eudora Pro 4.0 and 4.0.1 running on any Microsoft 
               Windows platform. 
DAMAGE:        If exploited, this vulnerability could allow a rogue e-mail 
               attachment to execute and do anything from reformatting the 
               users hard drive to infecting the computer with a virus. 
SOLUTION:      Apply patch from Qualcomm Inc. 
______________________________________________________________________________
VULNERABILITY  Risk is high. While we have not yet heard of anyone exploiting 
ASSESSMENT:    this vulnerability for malicious reasons, the ease in which it 
               may be exploited makes this a very serious problem. 
______________________________________________________________________________



Qualcomm, Inc. announced on August 7, 1998, that a security
vulnerability has been discovered in their popular e-mail program
Eudora Pro. The vulnerability is limited to Eudora Pro versions 4.0
and 4.0.1 running on the Microsoft Windows platform. This
vulnerability does not affect Eudora Lite, previous Eudora Pro
versions running on the Microsoft Windows platform, or Eudora versions
running on the Macintosh platform.

This vulnerability has no connection to the current problems with the
MIME headers that have been found in Microsoft's Outlook 98 and
Outlook Express and Netscape's Communicator 4.0. For more information
on the MIME Name Vulnerability you can review CIAC's bulletin I-077A.

The vulnerability that was discovered in Eudora Pro 4.0 and 4.0.1 is
fairly easy to exploit. The vulnerability allows someone to send
hostile Java applets, executable programs, or scripts in an e-mail
message and hide the name of the attachment as a URL. A user who
clicks on the URL would launch and run the e-mail attachment allowing
the rogue attachment to execute.

Qualcomm, Inc. has issued a patch for Eudora Pro 4.0 and 4.0.1 to fix
this problem at
http://eudora.qualcomm.com/pro_email/updaters.html.

You can also temporary protect yourself by turning off the Microsoft
viewer from within Eudora. To do this, follow these steps:

1. In Eudora, go to the Tools menu and choose "Options".
2. On the left-hand side of the options window, select "Viewing Mail".
3. On the right hand side of the options window, make sure the box
next to "USE" Microsoft's viewer" is UNCHECKED.
4. Click on "OK" on the bottom of the window.

If you disable the Microsoft viewer feature you will not be able to
read HTML in an e-mail message.

CIAC has not received any reports of this vulnerability being
exploited but the ease of exploiting this problem does not require any
type of sophistication. CIAC highly recommends that anyone running
Qualcomm's Eudora Pro on the Microsoft Windows platform immediately
apply the patch supplied by Qualcomm to fix this problem.




CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name 
  e.g., subscribe ciac-bulletin 

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-073: multiscan ('mscan') Tool
I-074: Buffer Overflow in Some Implementations of IMAP Servers
I-075: Microsoft Office 98 Security Vulnerability
I-076: SGI IRIX ioconfig(1M) and disk_bandwidth(1M) Vulnerability
I-077: Mime Name Vulnerability in Outlook and Messenger
I-078: HP-UX ftp Security Vulnerability
I-079: IBM AIX "sdrd" daemon Vulnerability
I-080: Microsoft Exchange  Denial of Service Attacks
I-081: HP-UX & MPEix Predictive Vulnerability
I-082: HP-UX Netscape Servers Vulnerability



-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNdGp5bnzJzdsy3QZAQHvFgP/Vxka2QbOOc4ILIixUgvWWwS17FirtPFj
/3950frEim+o8r5f8ttqceryivZVn7Dlps9TQLVAVEmGEHK6uMQxTJxUB+lFsTNA
RFF950TyW1WWpDaTk/KYib+FPZB1aNdNVMl7+peM5pFc670/+kaGBdhXg0w2WvUt
9jg8WfB17Hc=
=/8DR
-----END PGP SIGNATURE-----


========================FORWARDED TEXT ENDS HERE=============================

The National Institute of Standards and Technology (NIST) has
established a Federal Computer Incident response Capability (FedCIRC)
to assist federal civilians agencies in their incident handling
efforts by providing proactive and reactive computer security related
services.  FedCIRC is a partnership among NIST, the Computer Incident
Advisory Capability (CIAC), and the CERT* Coordination Center
(CERT/CC). 

If you believe that your system has been compromised, please contact
FedCIRC: 

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov
        Web Server:     http://www.fedcirc.gov/

* Registered in U.S. Patent and Trademark Office
 
The CERT Coordination Center is part of the Software Engineering
Institute.  The Software Engineering Institute is sponsored by the
U.S. Department of Defense.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
 
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.