Eudora speared by massive security hole

Highly popular e-mail program Eudora contains an "easily exploitable" hole that allows remote system access.

According to security experts Secunia and the person who discovered the hole, Paul Szabo, the hole can be exploited with no more than a malicious email containing an overly-long link (over 300 bytes).

It's the usual buffer overflow, execution of malicious code scenario but it affects the most recent versions of Eudora - including the 6.1 update, released just this week. Szabo says the hole "seems fixed in 6.0.1 and 6.0.3, but is un-fixed (exploitable again) in 6.1". However, Secunia reports that 6.0.3 remains vulnerable. Not only this but 5.2.1 and older versions may be wide open too.

With no patch - and no comment as yet by Eudora - the advice given by both Szabo and Secunia is simple: "Don't use Eudora." Both warn there are also other highly critical vulnerabilities in the software, including the fact that attachments can be spoofed and are also pre-extracted, making the spread of worms and viruses far more likely.

Szabo says: "If you still insist on using Eudora, you must disable both Allow executables in HTML content and Use Microsoft's viewer in Tools > Options > Viewing Mail. " He goes on:"You may also want to disable automatically download HTML graphics in Display."

Eudora was an early leader in the e-mail program market, in much the same way as Netscape's Navigator stormed the browser market. However, both have suffered at the hands of Microsoft (Outlook and Explorer, respectively) and occupy a small but significant five per cent of the market. That still means a lot of email clients being open to attack however, and so it is unlikely to be long before an email with malicious code attached is fired out there.

Lots more info is available on Szabo's site here.