Spyware, Viruses via HTML in Email

[Roberts]

Is it possible/likely to get

1) Spyware
2) Adware
3) Virus

from email opened in Outlook Express containing HTML? I have all the latest
MS security and critical updates and I use Norton Internet Security w/ its
firewall and Norton AV. All of these have the latest updates. I also use the
built-in Windows XP firewall.

I don't use AOL.

TIA
--R

 

[JW]

HTML script embedded in HTML can do just about anything. It can spread
viruses, worms, and Trojan horses. It can open back door ports for hackers
to come in. It can harvest your keystrokes (passwords, account IDs). In
other words, it can do things far worse than annoying pop up ads. Your
anti-virus program might stop the infection, but might not.

In a recent test by PC World comparing security products, Norton AV caught
97.5% of 14,288 Trojan horses used in the test, according to PC World. (See
http://www.pcworld.com/reviews/article/0,aid,115939,pg,4,00.asp). That
still leaves you vulnerable to only 357 known Trojan horses. To make
matters worse, Trojan horses can carry worms or viruses. Will your
AntiVirus program stop the worms and viruses ? Maybe. There's always the
risk of your PC being infected by a formerly unknown virus/worm, Before (a)
the AV software vendor makes an update available, and (b) you download the
AV update.

Moral of the story. Never never open Email displayed using HTML. Either
open it as text only, or do what I do. I read Email displayed using the
remote IMAP server, without ever downloading it to my PC. Another tip: If
you're using anti-spyware, be aware that many free versions do Not have a
memory resident component that proactively filters and stops spyware as it
enters. These free versions are only intended to clean up the mess, After
the damage is Already done.

The purchased versions do have a memory resident component that proactively
filters and stops spyware as it attempts to enter. As with many things in
life. You can (a) save money now and waste time later, or (b) invest a
little money now and save a lot of time and misery later. Don't risk
unnecessary grief. Choose AdAware Plus/Pro, or the purchased version of
SpySweeper by WebRoot (the most recent winner of PC Magazine's Editors'
Choice Award http://www.webroot.com/)



Is it possible/likely to get

1) Spyware
2) Adware
3) Virus

from email opened in Outlook Express containing HTML? I have all the latest
MS security and critical updates and I use Norton Internet Security w/ its
firewall and Norton AV. All of these have the latest updates. I also use the
built-in Windows XP firewall.

I don't use AOL.

TIA
--R

 

[Juergen Heinzl]

Is it possible/likely to get

1) Spyware
2) Adware
3) Virus

from email opened in Outlook Express containing HTML? I have all the latest
MS security and critical updates and I use Norton Internet Security w/ its
firewall and Norton AV. All of these have the latest updates. I also use the
built-in Windows XP firewall.

[-]
Yes, but you can do something about it.

* See Extras -> Options -> Security as OE uses the same security
settings as IE and use the restricted zone to start with.
* Disable the preview window.
* Block attachments.
* Text is fine for email.
* Use a free mail account, like hotmail, for your email address isn't
valid and some people really *do* hate that.
* Switch OE to offline mode if text isn't fine with you before reading
your email for Web Bugs don't like that.

Last but not least unless you read your email Administrator or as a
member of Administrators Spyware, Adware and Viruses are going to have a
hard time to install themselves.

Cheers,
Juergen

 

[Roberts]

Wow ! Thanks for the heads up !

I had a feeling that HTML in an email was just as risky as visiting a web
site. I suppose JavaScript and ActiveX can be run from both. I'm unable to
figure out how to look at email as text only using Outlook Express. Is this
possible?

As for memory resident spyware what do you think of Spybot S&D with its
immunize function? Do you think that AdAware Plus/Pro and the purchased
version of SpySweeper by WebRoot will work well with each other or is this a
case where more is not better?

--r

 

[Roberts]

I liked and am applying all the suggestions you made. I particularly like
the one about setting up a different, non-administrator account for internet
browsing. That is very cool.

As I wrote to JW I sure would like to know how to configure my Outlook
Express to read email as text only.

--Roberts

Is it possible/likely to get

1) Spyware
2) Adware
3) Virus

from email opened in Outlook Express containing HTML? I have all the latest
MS security and critical updates and I use Norton Internet Security w/ its
firewall and Norton AV. All of these have the latest updates. I also use the
built-in Windows XP firewall.

[-]
Yes, but you can do something about it.

* See Extras -> Options -> Security as OE uses the same security
settings as IE and use the restricted zone to start with.
* Disable the preview window.
* Block attachments.
* Text is fine for email.
* Use a free mail account, like hotmail, for your email address isn't
valid and some people really *do* hate that.
* Switch OE to offline mode if text isn't fine with you before reading
your email for Web Bugs don't like that.

Last but not least unless you read your email Administrator or as a
member of Administrators Spyware, Adware and Viruses are going to have a
hard time to install themselves.

Cheers,
Juergen

 

[JW]

Click on Tools, then Options.
There's a check box labeled "Read all messages in plain text".

I like Spybot S&D, and use it with the purchased version of SpySweeper. I
think the PC World article I referred to recommended using Spybot S&D in
conjunction with AdAware Plus/Pro. They are good at catching spyware and
attempts to change the registry. There's no need to use both SpySweeper and
AdAware Plus/Pro.

I don't know if JavaScript, VBscript and ActiveX can be run from Email
messages displayed in Outlook Express using HTML. Although they can be used
for spying, they can also be used for a wide range of constructive (e.g.
enhancing the web site experience) and destructive purposes (e.g. wrecking
your operating system), so they fall into a more broad category called
"mobile code", instead of spyware. To stop JavaScript, VBscript and
ActiveX, I rely on 3 defenses.

I set ZoneAlarm Pro to block all Mobile Code (JavaScript, VBscript, ActiveX
objects, integrated MIME objects, etc.). If this prevents a web site from
functioning properly, then I go to the Site List tab, and change Block to
Allow only for that single web site, if I trust it. For me, I have found
this method easier than turning it on and off in Internet Explorer, not to
mention all the Security Vulnerabilities uncovered in IE in the last year.
Second, I never use an Admin account to surf the wild wild web. Much too
dangerous, since any crippleware would run with the same privileges as the
account you log in with. I use a Limited Account for surfing.

Third, I use NTFS permissions to block all access except Read/Execute, to
the folders named \Windows and \Program Files, by accounts in the group
named Users. (Admin accounts keep full control.) I've not heard of anybody
else doing this, but I glad I do. Since I set up auditing in XP Pro, I can
see failed attempts every day by some vermin from somewhere, trying to
monkey with my \Program Files or \Windows folders. Sometimes trying to
change files (e.g. explorer.exe). Sometimes trying to uninstall stuff. All
recorded in the Event Log as Failed Attempts.

In the way of disclaimers, all the defenses in the world will not guarantee
100% security. Experts will tell you there is no such thing as a
hacker-proof computer, just like experts will tell you there is no such
thing as a burglar-proof house. It's all a matter of deterrents. Given a
choice, which house would a burglar choose ? A house with no fence, no
dogs, no cars, no lights on, no sound, and windows wide open ? Or a house
with an electric fence, 2 trucks in the driveway with shotgun racks, German
Shepherds barking, lights flickering, stereos blaring, and bars on all the
windows ?




Wow ! Thanks for the heads up !

I had a feeling that HTML in an email was just as risky as visiting a web
site. I suppose JavaScript and ActiveX can be run from both. I'm unable to
figure out how to look at email as text only using Outlook Express. Is this
possible?

As for memory resident spyware what do you think of Spybot S&D with its
immunize function? Do you think that AdAware Plus/Pro and the purchased
version of SpySweeper by WebRoot will work well with each other or is this a
case where more is not better?

--r

 

[Roberts]

Click on Tools, then Options.

There's a check box labeled "Read all messages in plain text".

Found it right away under the "Read" tab. I LIKE it !!

I set ZoneAlarm Pro to block all Mobile Code ...

I'm going to try that w/ the Norton firewall. I can't believe they don't
have it.

Second, I never use an Admin account to surf the wild wild web.

I do that one. Glad I'm not hopelessly lost. Great idea and dirt simple.

Third, I use NTFS permissions to block all access except Read/Execute, to
the folders named \Windows and \Program Files, by accounts in the group
named Users. (Admin accounts keep full control.) ...

Now your getting into an area I know little about. I knew it was possible
but never even considered doing it. I've looked in Help & Support on my XP
Pro machine (and I do have NTFS formatted drives) but am having a bit of a
hard time trying to find the documentation that ties setting folder
permissions by accounts. Is there any link you might suggest ?

Since I set up auditing in XP Pro ...

And as long as you mentioned it any links on auditing and the event log?

TIA
roberts