Two email packages hit by security bugs

Two major email systems were hit by reports of security flaws this week. Qualcomm denied that there was a bug in Eudora, while bug hunters at Lopht Heavy Industries discovered a problem in Lotus Notes.

US reports claimed Qualcomm was due to release a software patch on its Web site today after discovering a flaw in Eudora for Windows 95 that allowed emails to erase files or install viruses.

Instead, the company published a statement that said: ?Eudora Pro Email, Eudora Pro Comm Center and Eudora Light are not susceptible to buffer overflow security problem. [We] rigorously tested... Eudora email software after becoming aware of the buffer overflow security problems recently found in Microsoft and Netscape email programs. Eudora email products are not susceptible to these types of attacks.?

Qualcomm tested Eudora Pro and Eudora Comm Center versions 4.0, as well as Eudora Pro and Eudora Light versions 3.0 on both the Windows and Macintosh platforms. In all cases, it claimed, Eudora does not allow unauthorised programs to be automatically executed on a user's system.

Lopht Heavy Industries warns that Notes 4.6 is bugged and remote intruders may access confidential company records in development databases. The Boston based group of software enthusiasts, bug hunters and hacker experts, received reports that some implementations of Lotus Domino via the Notes Client are particularly vulnerable.

Most notably, ?it affects companies using Lotus Notes primarily for development purposes or as an Intranet. Also, any servers distributed with the Lotus Notes Client that are not running the Hypertext Transport Protocol Daemon task are vulnerable by default.?

Lopht said temporary access files should be edited manually to ensure security and Lotus has posted a note to its Web site providing instructions on how to avoid any violations.