Email bug found in Eudora

Strike three for email programs.

Qualcomm announced today a security hole was discovered in its popular Eudora email system, just days after holes were found in the mail software that comes with Netscape Communications' Communicator Web browser and in Microsoft's Outlook and Outlook Express programs.

The security breach in Eudora could allow someone to email file attachments that could erase files or install a virus, according to Matthew Parks, manager of the Eudora product line.

"Essentially, someone could send you a program that could do malicious things," he said.

Parks explained that the Eudora flaw makes it possible for a malicious computer user to insert a link to an Internet site that executes destructive code.

More coverage on CNET Radio

The security flaw was discovered early this week by a user of the mail program at a Massachusetts-based software company. There are no known cases of anyone actually using the flaw to send destructive email.

The San Diego-based firm is planning to release a patch today on its Web site that users can download to fix the problem. The problem affects the Windows 95 versions of Eudora versions 4.0 and 4.0.1.

The problem does not affect the most recent Eudora Pro Version 4.1, which is available for beta test. Nor does it affect Eudora Light or earlier versions of Eudora Pro.

Qualcomm is still testing to see if other operating system versions are affected. Parks said Macintosh versions of the software and Windows 3.1 versions are safe. Windows 98 versions could be affected.

Last week, researchers in Finland discovered a flaw in Microsoft and Netscape mail programs involving file attachments with long names. When a user attempts to download, open, or launch a file attachment that has a name longer than 200 characters, the action might cause the email software to crash. At that point, a skilled hacker could possibly run arbitrary code in the computer's memory, according to a security bulletin posted by Microsoft.

Ironically, Qualcomm within days posted an advisory on its Web site claiming its mail programs were free of the flaw and not susceptible to such security attacks. The note was posted Wednesday, the same day the Eudora user notified Qualcomm of the related security flaw in its mail systems.