Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Qualcomm Incorporated (QCOM) -- Ignore unavailable to you. Want to Upgrade?

To: mmeggs who wrote (13446)	8/7/1998 10:45:00 AM
From: Jon Koplik	Read Replies (1) \| Respond to of 152472

To all - text of NYT article : August 7, 1998 Another E-Mail Security Problem Is Discovered, This One in Eudora By JOHN MARKOFF AN FRANCISCO -- Just days after a serious security flaw was revealed in two popular electronic mail programs, an equally troubling vulnerability has been discovered in Eudora, the most widely used of all e-mail software. The Eudora flaw makes it possible for a malicious computer user with little or no programming expertise to booby-trap an e-mail message by inserting a seemingly harmless link to an Internet location that in fact executes malignant code. This could permit an attacker to destroy or steal data or to otherwise tamper with a personal computer. The security flaw was discovered early this week by a Massachusetts-based software company. There are no known instances of anyone actually taking advantage of the weakness to send damaging e-mail. Analysts estimate that approximately half a million Eudora users are affected. The Qualcomm Corporation, which makes Eudora, said today that a repaired version of the software would be available on its Web site on Friday afternoon. Eudora's vulnerability is a consequence of the growing power of e-mail software. Once used largely to send simple text messages, new versions of electronic mail programs are increasingly incorporating features that originated in browser programs for using the World Wide Web. These features allow e-mail messages to contain software code as well as text. The growing interconnectedness of most personal computers and devices as diverse as laboratory equipment, cellular telephones and cable set-top boxes raises the specter of increased vulnerability for all these devices. "Today there is a growing trade-off between convenience and security," said Edward Felten, director of the Secure Internet Programming Laboratory at Princeton University. "By making it easy to launch a program with a single click, you're also making it possible to launch a dangerous program with a single click." The flaw is found only in Eudora versions 4.0 and 4.0.1, not in earlier versions. Qualcomm is a San Diego-based telecommunications company. In all, market researchers estimated today that there are more than 18 million copies of the commercial and free versions of the Eudora program in use, only a small portion of which are version 4.0 or 4.0.1. The security flaw is present in the Windows version of Eudora, but not in the Macintosh version, which has fewer features, enabling it to take advantage of Web-based programming code from within an e-mail message. The Eudora vulnerability is a direct descendant of the ancient Trojan horse deception in which a seemingly harmless item harbors great danger. In the modern version, a malevolent program is masked by a seemingly benign pointer known as a universal resource locator, or Web address, which is the fundamental underpinning of the World Wide Web. Clicking on a Web address with a mouse button is supposed to take the user to a page on the Web, but if this flaw was exploited, the user could unknowingly launch a malicious program. "The ancient Greeks knew a lot about this hazard," said Robert Frankston, a veteran software developer and the co-inventor of the software spreadsheet. "Beware of Greeks bearing gifts." The Eudora vulnerability is linked to the Internet Explorer browser software that Microsoft integrated into the most recent versions of its operating system, Windows 95 and Windows 98. As a result Eudora programmers used the browser capability within the operating system rather than coding their own. Security features in the Windows browser can be set to filter out dangerous or forbidden commands coming in from the Internet, such as orders to format a hard drive or insert code into an existing file. But because Windows assumes that anything already on your computer's hard drive is in a "safe zone," its browser opens and closes local files and runs most kinds of local code without such filtering. This underscores a basic weakness in the security of personal computers that are connected to today's computer networks. The Eudora flaw came to light just a little more than a week after security researchers announced a similar problem in versions of Microsoft's Outlook and Outlook Express e-mail programs and in Netscape's Mail program. In that case, a group of researchers in Finland discovered in late June that it was possible for an attacker to exploit a programming error to force the mail program to crash and then run a malicious program in its place. Last week, both Microsoft and Netscape quickly developed fixes, which can be obtained by getting in touch with the companies' Web sites. Today, Microsoft began notifying registered users of its software about the problem via e-mail. The Eudora vulnerability was brought to light earlier this week by Richard M. Smith, president of Phar Lap Software, a Cambridge, Mass., maker of operating system software and products for Microsoft's MS-DOS, the operating system that predated Windows. Because much of the software that Phar Lap sells is designed to run in small devices that are increasingly connected to the Internet, Smith said that he had grown increasingly cautious about the risks of software transmitted over the Internet. After learning of the flaws in the Microsoft and Netscape e-mail programs, Smith began examining the security of Eudora, the mail program he used. He soon discovered that it was possible to attach a program to a mail message and then use the Javascript programming language to mask the identity of the illicit program, thereby tricking the recipient of the electronic mail message into inadvertently starting the program by clicking on the Web address. Both the Java programming language created by software designers at Sun Microsystems Inc. and the Javascript language created by designers at the Netscape Communications Corporation are attempts to develop programming languages that incorporate special security for Internet use. After reaching both Microsoft and Qualcomm to alert them to the problem, Smith said, he determined that the problem lay in the way the Qualcomm mail program interacted with the Javascript programming language, permitting the Web address to point to and run a local program rather than pointing to a Web page as the user expected. "The goal is to have both security and convenience for our users," said Matthew Parks, Qualcomm's Eudora product line manager. "The real challenge is for people like us, who are developing these programs so users don't have to worry about these things."

To: mmeggs who wrote (13446)	8/7/1998 10:46:00 AM
From: John Carragher	Respond to of 152472

August 7, 1998 Security Flaw Found in Eudora; Qualcomm Plans to Offer Patch Associated Press SAN DIEGO -- A major security flaw has been found in Eudora, the Internet's most popular electronic mail program, a spokesman for the software's manufacturer said. The discovery was made days after flaws were found in two other widely used e-mail programs, Microsoft Corp.'s Outlook and Netscape Communications Corp.'s e-mail client that comes with Communicator. The Eudora security breach could allow someone to maliciously send an e-mail file attachment that could erase files or install a virus, said Matthew Parks, manager of Qualcomm Inc.'s Eudora product line. Mr. Parks said that has not happened to anyone. "Essentially what happened is one of our users reported that ... he was actually able to find a possible security flaw within e-mail," Mr. Parks said. San Diego-based Qualcomm plans to release a software patch on its Web site Friday that users can download to update their software. "It will essentially fix the security hole that was found two days ago," he said. The flaw affects the Windows 95 versions of Eudora 4.0 and 4.0.1, as well as 4.1, which is being circulated in test form. It could affect other Microsoft operating systems, but that had not been verified. This revelation comes less than a week after researchers in Finland discovered that a programming error could enable a hacker to crash Microsoft's Outlook and Outlook Express e-mail programs and the Netscape program and run a destructive application in their place. Both companies provided a patch for users to download. Return to top of page \| Format for printing Copyright c 1998 Dow Jones & Company, Inc. All Rights Reserved.