To all - text of NYT article :
August 7, 1998
Another E-Mail Security Problem
Is Discovered, This One in Eudora
By JOHN MARKOFF
AN FRANCISCO -- Just days after a serious security flaw was
revealed in two popular electronic mail programs, an equally troubling
vulnerability has been discovered in Eudora, the most widely used of all
e-mail software.
The Eudora flaw makes it possible for a malicious computer user with little or
no programming expertise to booby-trap an e-mail message by inserting a
seemingly harmless link to an Internet location that in fact executes malignant
code. This could permit an attacker to destroy or steal data or to otherwise
tamper with a personal computer.
The security flaw was discovered early this week
by a Massachusetts-based software company.
There are no known instances of anyone actually
taking advantage of the weakness to send damaging
e-mail. Analysts estimate that approximately half a
million Eudora users are affected.
The Qualcomm Corporation, which makes Eudora,
said today that a repaired version of the software
would be available on its Web site on Friday
afternoon.
Eudora's vulnerability is a consequence of the
growing power of e-mail software. Once used
largely to send simple text messages, new versions
of electronic mail programs are increasingly incorporating features that
originated in browser programs for using the World Wide Web. These
features allow e-mail messages to contain software code as well as text.
The growing interconnectedness of most personal computers and devices as
diverse as laboratory equipment, cellular telephones and cable set-top boxes
raises the specter of increased vulnerability for all these devices.
"Today there is a growing trade-off between convenience and security," said
Edward Felten, director of the Secure Internet Programming Laboratory at
Princeton University. "By making it easy to launch a program with a single
click, you're also making it possible to launch a dangerous program with a
single click."
The flaw is found only in Eudora versions 4.0 and 4.0.1, not in earlier
versions. Qualcomm is a San Diego-based telecommunications company.
In all, market researchers estimated today that there are more than 18 million
copies of the commercial and free versions of the Eudora program in use,
only a small portion of which are version 4.0 or 4.0.1.
The security flaw is present in the Windows version of Eudora, but not in the
Macintosh version, which has fewer features, enabling it to take advantage of
Web-based programming code from within an e-mail message.
The Eudora vulnerability is a direct descendant of the ancient Trojan horse
deception in which a seemingly harmless item harbors great danger. In the
modern version, a malevolent program is masked by a seemingly benign
pointer known as a universal resource locator, or Web address, which is the
fundamental underpinning of the World Wide Web.
Clicking on a Web address with a mouse button is supposed to take the user
to a page on the Web, but if this flaw was exploited, the user could
unknowingly launch a malicious program.
"The ancient Greeks knew a lot about this hazard," said Robert Frankston, a
veteran software developer and the co-inventor of the software spreadsheet.
"Beware of Greeks bearing gifts."
The Eudora vulnerability is linked to the Internet Explorer browser software
that Microsoft integrated into the most recent versions of its operating
system, Windows 95 and Windows 98. As a result Eudora programmers used
the browser capability within the operating system rather than coding their
own.
Security features in the Windows browser can be set to filter out dangerous
or forbidden commands coming in from the Internet, such as orders to
format a hard drive or insert code into an existing file. But because Windows
assumes that anything already on your computer's hard drive is in a "safe
zone," its browser opens and closes local files and runs most kinds of local
code without such filtering.
This underscores a basic weakness in the security of personal computers that
are connected to today's computer networks.
The Eudora flaw came to light just a little more than a week after security
researchers announced a similar problem in versions of Microsoft's Outlook
and Outlook Express e-mail programs and in Netscape's Mail program. In that
case, a group of researchers in Finland discovered in late June that it was
possible for an attacker to exploit a programming error to force the mail
program to crash and then run a malicious program in its place.
Last week, both Microsoft and Netscape quickly developed fixes, which can
be obtained by getting in touch with the companies' Web sites. Today,
Microsoft began notifying registered users of its software about the problem
via e-mail.
The Eudora vulnerability was brought to light earlier this week by Richard M.
Smith, president of Phar Lap Software, a Cambridge, Mass., maker of
operating system software and products for Microsoft's MS-DOS, the
operating system that predated Windows.
Because much of the software that Phar Lap sells is designed to run in small
devices that are increasingly connected to the Internet, Smith said that he had
grown increasingly cautious about the risks of software transmitted over the
Internet.
After learning of the flaws in the Microsoft and Netscape e-mail programs,
Smith began examining the security of Eudora, the mail program he used.
He soon discovered that it was possible to attach a program to a mail message
and then use the Javascript programming language to mask the identity of the
illicit program, thereby tricking the recipient of the electronic mail message
into inadvertently starting the program by clicking on the Web address.
Both the Java programming language created by software designers at Sun
Microsystems Inc. and the Javascript language created by designers at the
Netscape Communications Corporation are attempts to develop programming
languages that incorporate special security for Internet use.
After reaching both Microsoft and Qualcomm to alert them to the problem,
Smith said, he determined that the problem lay in the way the Qualcomm mail
program interacted with the Javascript programming language, permitting the
Web address to point to and run a local program rather than pointing to a Web
page as the user expected.
"The goal is to have both security and convenience for our users," said
Matthew Parks, Qualcomm's Eudora product line manager. "The real
challenge is for people like us, who are developing these programs so users
don't have to worry about these things."
|
