attrition.1999-09-17.eudora3x                  Fri Sep 17 23:30:00 PDT 1999

Vendor: Qualcomm (Eudora 3.x)          Platform: Microsoft Windows 95/98/NT

                   Attrition's Little Errata Report Team

                        -<)  A . L . E . R . T  (>-

       This advisory reports  a  recently-discovered security issue.
       It may contain a workaround or information on where to obtain
       an appropriate patch.  Advisories should be considered urgent
       as these notices are written only when the likelihood of wide
       impact is determined by the Attrition staff.  An HTML version
       of this and other advisories can be found at Attrition.Org at

  PGP Encryption/Signature Corruption by Qualcomm Eudora 3.x Spellchecker

Systems running Microsoft Windows 95/98 and NT, using Qualcomm's Eudora
v3.x with the NAI PGP plug-in.  Unconfirmed reports that MacOS versions are
similarly affected.  Qualcomm Eudora v4.x is not affected.

Qualcomm Inc. ( sells and distributes a Mail User
Agent (MUA) package called Eudora ( which supports a
number of plug-in utilities, one of which is the Network Associates Inc.
(NAI) Pretty Good Privacy (PGP) suite of tools for digital signatures and
encryption (

This advisory specifically addresses a bug which exists in the application
of the Eudora spellchecking tool and its impact on the NAI PGP plug-in for
Eudora v3.x.

Qualcomm's Eudora Mail User Agent v3.x, when used in concert with NAI's 
PGP plugin, exhibits a counterproductive behavior when the user digitally
signs their outgoing message.  A majority of Eudora users, upon first
using Eudora, elect to have spellcheck performed when they send their
e-mail.  This is all well and good, unless the PGP plug-in (through no
fault of NAI's work) is brought into play.

Upon completion of the message, the user toggles the PGP-sign and/or the
PGP-encrypt button and then elects to send the message.  It is at this
point that the bug presents itself.

Rather than performing spellchecking first, Eudora invokes PGP to sign or
encrypt the message as specified, *then* invokes spellchecking.  A series
of screen shots have been taken as a proof-of-bug on this report and are
available at:
The end result of this bug is that the user is compelled to remedy spelling errors and otherwise inaccurate data *after* they have digitally signed the document, thus altering the content and invalidating the PGP signature. Eudora's spell checker goes a step further and even attempts to "correct" the PGP signature itself! As most Windows users do not fully understand how PGP works, they will likely attribute to system error any reports they receive of Bad Signatures or unrecoverable encrypted files when they receive complaints of their "corrected" signed and encrypted messages. It is also highly likely that a chronic history of this sort of data corruption will compel users to either outright dismiss Bad Signatures as inconsequential, or they will abandon the use of PGP encryption and signatures altogether. This unfortunate set of circumstances defeats the use of PGP encryption and content authentication entirely. RECOMMENDED ACTIONS --------------------------------------------------------------------------- Users are encouraged to either switch mail user agent software, disable automatic spellchecking, or upgrade to Eudora v4.x if they wish to continue using the PGP plug-in for Eudora. Other alternatives include performing spellchecks of mail in an external application before pasting into the Eudora message body. We do NOT recommend abandoning any use of PGP in any way. As previously stated, the fault is not with NAI PGP. CREDITS --------------------------------------------------------------------------- ADVISORY AUTHOR: Cancer Omega <> THANKS TO : Ron S. Dotson for first mentioning this odd behavior of Qualcomm's Eudora, and Jay D. Dyson for passing on to the Attrition Staff the proof-of-bug screenshots. DEDICATION : This advisory is dedicated to Satrina 'cause she 0wnz me. No fooling. CONTACT INFORMATION --------------------------------------------------------------------------- Questions regarding this advisory or information regarding new advisories and potential vulnerabilities should be directed to ALERT using one of the following methods: E-Mail: WWW : The ALERT PGP Public Key (PGP v2.6.2, RSA) is available at: