Certain versions of Qualcomm’s popular email client, Eudora, are vulnerable to attack by malicious mobile code. ComputerWire’s technical staff investigated the flaw and found that the way Eudora embeds Internet Explorer to interpret mail in HTML could put users at risk by making executable files appear to be innocent web links. An attacker could modify the Javascript applet that identifies a web link when the mouse hovers over it. This could mislead a user into believing that the link is safe, when in fact clicking on it might unleash malicious code. The flaw exists only Eudora Pro 4.0, 4.0.1 and 4.1, which embed Internet Explorer. Earlier releases, Eudora Lite and Macintosh versions do not embed the browser and are therefore unaffected. Qualcomm said it has taken immediate steps to address the issue and after review is satisfied that the problem has been solved. The Eudora flaw is comparable in severity to the buffer overrun attacks found in Microsoft Outlook and Netscape Communicator last week (CI No 3,463), and it appears to have been resolved even more swiftly than those were. That makes it difficult to understand why the New York Times ran the Eudora story on the front page. The buffer overrun attacks also received critical attention in the Times, but they were not treated to anything like the same level of prominence. NYT technology reporter John Markoff is no stranger to controversy. Critics say Takedown, his account of Tsutomo Shimoura’s investigation into hacker Kevin Mitnick, is sensationalized (Bob Brand in The Sacramento Bee) and attention-grabbing (Simson Garfinkel in The San Jose Mercury News). Those terms would certainly apply to Markoff’s story on the vulnerability in Eudora. The Times story set the tone for other outlets’ treatment of this relatively ordinary hole, but the wooden spoon must surely go to Microsoft subsidiary MSNBC, which headlined its piece: Eudora flaw allows e-mail mayhem. How could they tell?
