I have been doing some research on security problems
with Email and found a Java applet that can corrupt the
Eudora 4 Email reader.  Once Eudora 4 has been corrupted,
it can no longer read Email because the program continually
crashes on start-up.  The worse part of the problem is
the applet is sent in an Email message and is automatically
executed by Eudora when the Email message is read.

I found the hostile Java applet that crashes Windows 95
using AltaVista.  A demo page for the applet can be found at:

      http://users.tmok.com/~dr_bulge/smt1/

On the Web page there is no description of how the
applet operates.  I assume that it grabs system resources
until Windows 95 can't run anymore.

On my system the applet crashes both the Internet Explorer 4 JVM and
the Netscape 4.02 JVM.  The applet takes about 20 to 30
to take down Windows 95.  At first nothing seems out of
the ordinary.  Then the hard disk goes crazy with disk
seeks.  CTRL/ALT/DEL doesn't seem to work and about
10 seconds later the entire system locks up.

As an experiment, I mailed the HTML demo page to myself.
I read Email with Eudora 4 which uses IE4 under the
covers to display HTML Email messages.

Sure enough when I read the message in Eudora, the Java
applet ran and my system died again.

I then rebooted and restarted Eudora.  I wanted to delete
the message, but I accidentally double-clicked and ended
up reading the message again.  I quickly tried to
exit Eudora to avoid a reboot.  However the Java
applet had already started running again.  So I was
forced to reboot anyway

Unfortunately, when I tried running Eudora for the third
time, it died with a page fault during start-up.   I
tried running it two more times with the same page fault.
The Java applet had somehow corrupted Eudora and
made it not runnable.

I started doing some detective work to see what was wrong.
At first I thought that my In box files were corrupted
but they seemed to be okay.  With a little more playing
around I discovered that the EUDORA.INI file was bad and
some setting in it was causing Eudora to page fault.

I deleted the EUDORA.INI file and reconfigured Eudora
and now everything is working again.

It sure seems to me that Java is not anywhere near as safe as
Sun is claiming it to be.  Worse yet, now that many Email readers
are going to HTML, hostile Java applets can be distributed
simply by sending them in Email messages.

To solve the problem, I think that Email readers that support
HTML Email messages should have an option to turn off Java
applets, JavaScript, and ActiveX controls in Email messages.  As
far as I can tell Eudora 4 has no such feature.