A recently discovered bug in the popular Pegasus freeware e-mail program can make any file on a hard drive vulnerable to downloading. The security problem relates to version 3.12c of the Pegasus Mail client. File uploads can be triggered through an HTML document-based attack using the “mailto:” flag. This particular bug concerns only Microsoft Internet Explorer 5 users. To date, I have been unable to check it out for other versions of the browser. This particular bug does not affect Macintosh and MS-DOS versions of the Pegasus Mail client.
Pegasus Mail has been around for about a decade and is an extremely versatile program used on either stand-alone systems or networks. The program is significant because it was the first e-mail client to implement filtering. Because the program also supports mail merge, multiple users on a single computer, and large address databases, it has proven to be popular in a number of business settings. Novell NetWare 3.x, 4.x, and 5.x in Bindery Mode and 4.x and 5.x in NDS mode support Pegasus in many NetWare shops. Pegasus Mail also runs on NT, LANTastic, and Windows peer-to-peer networks. Ironically, the flaw resides in the latest version (v3.12c) which, according to the Pegasus Web site, the company wanted to be "the best, most reliable, and stable version of Pegasus Mail produced to date."
The fix is simple, but draconian. The only real way to plug this hole is for Internet Explorer users to avoid setting Pegasus Mail as their default mail client.
This latest version is “the end of the line for the v3.x family of Pegasus Mail for Windows products,” and it contains a lot of bug fixes (the emphasis is from the company). However, even though many users have downloaded the upgrade, the more than 50 fixes are still considered minor.
An upgrade of Pegasus Mail is in the works, and the author, David Harris, says the new version will feature major improvements over previous versions. Hopefully, this new version will completely patch the security hole.
Have a comment?
If you'd like to share your opinion, post a comment below or send the editor an e-mail.