Qualcomm has patched serious security vulnerabilities in the Eudora e-mail client that could allow an attacker to take over a Windows system via a specially crafted message.

The bugs affect version 6.2.0 of the application, released in November, and earlier versions. Qualcomm released an update, verison 6.2.1, that fixes the bug - it's available here.

John Heasman of NGSSoftware discovered the flaws, which only affect the Windows version. They allow an attacker to execute malicious code on a user's system with the privileges of the user running Eudora, when a malicious e-mail is previewed or opened, or when a malicious stationary or mailbox file is opened.

NGSSoftware said it wouldn't release details of the flaws until 2 May 2005 to give users time to patch the application.

An advisory from Qualcomm was even less specific, only saying that the flaws "could cause Eudora to crash". However, independent security firm Secunia found the problems serious enough to merit a "highly critical" rating.

Eudora was a pioneering example of an easy-to-use e-mail application and became popular based on its advanced features. Its popularity has declined faced with competition from clients bundled with software packages (such as Outlook and Microsoft Office) or included with operating systems (such as Mac OS X's Mail component). It now also faces competition from the open-source community in the form of Thunderbird, released recently by the Mozilla project, which also created the popular Firefox Web browser.

Eudora 6 has been affected by six vulnerabilities since 2003, according to Secunia, of which just over a third allowed system access. Outlook Express 6 has had 10 vulnerabilities in the same time period, of which 31 percent allowed system access. The full version of Outlook has had several additional security holes, but these patches are bundled with Microsoft Office updates.

The security of Apple's OS X mail client is also difficult to measure as patches are included with operating system updates. The most recent OS X security fix, at the end of January, patched a relatively low-risk information disclosure bug in Mail.

Thunderbird has only recently reached its 1.0 release, but the 0.x releases faced 11 security flaws between 2003 and 2005, according to Secunia. Only two of these allowed system access.