Normally, before Eudora and similar email applications will run an executable file attached to an email message, they will present a warning that asks whether the recipient wants to risk running untrusted code on the computer. But in an exploit devised by bug hunter and anticontent-filtering advocate Bennett Haselton, a hostile email sender can circumvent that warning.
"This is a potential way to get around Eudora's ability to warn people that something dangerous could happen," said Jeff Beckley, technical lead for Windows Eudora at Qualcomm.
Haselton's exploit works by attaching an executable (".exe") file and linking to that file from the body of the message through another attached file, this one of the Windows shortcut file type (".lnk").
If someone were to click directly on an ".exe" file, Eudora would flash a warning. But routed through the ".lnk" file, the executable gets a free pass.
Moreover, Haselton's demonstration works by disguising the ".lnk" extension, making the ruse effective against more savvy individuals.
Beckley said Qualcomm would add ".lnk" to its list of file extensions that earn warnings in the next iteration of Eudora for the Windows operating system, version 4.3.2. Beckley described that version as "weeks away."
In the meantime, people can take matters into their own hands by changing security clearance settings themselves. Those with Windows Eudora 4.2 and higher can copy the following link into a Eudora composition message, add angle brackets before and after it, hold down the "Alt" key and click on the "OK" button:
Others who use Eudora should find the "Eudora.ini" file in their Eudora program file and add "WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk|" after the line that has the text "Settings."