C
Conor
If you download the attachment and open it it is.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
J
Jeff Cook
Jesse Johnston said:Is it possible to infect your computer with a virus through webmail?
Hi Jesse
For a "complete" answer, see the thread entitled "Can viruses infect
Internet-based mail?" which commenced on the 11th. It degenerates into a
bit of a bun fight (I didn't want to say shit fight because that would be
improper), but it should give you plenty to think about.
Jeff
J
Juergen Nieveler
Jesse Johnston said:Is it possible to infect your computer with a virus through webmail?
Sure. If the webmail application is badly written and you use Internet
Explorer, a lot of the tricks used to fool Outlook Express might also
work through Webmail (as OE only uses the Internet Explorer to render
HTML).
Also, if you download and execute an attachment via webmail, it will
work just like an attachment coming through a normal mail client.
Juergen Nieveler
J
Jesse Johnston
Is it possible to infect your computer with a virus through webmail?
V
*Vanguard*
Jesse Johnston said in news:[email protected]:
While there are vulnerabilities when using IE to browse web sites, I doubt Yahoo's web pages incorporate nasty content. If you are worried, disable ActiveX and scripting in the Internet security zone (or set them to Prompt). For sites that you trust, and if you set ActiveX and scripting to Prompt, and if you get tired of answering the prompts for sites that you trust, put them in the Trusted security zone.
Make sure the security zone configured in your e-mail client uses the Restricted Sites security zone, and that the Restricted Sites security zone is configured for its High setting. None of the security zones will block linked images which can be used for web bugs. I use SpamPal and its HTML-Modify plug-in to eradicate linked images (along with other nasty HTML content). Good senders should be embedding images (i.e., inline) in their messages (if images are even needed).
There does seem a vulnerability in all browsers regarding an encoded inline MIME part that delivers executable code but declares a different filetype. You get an e-mail. It has a MIME part. Its disposition is "inline" which means the client is supposed to render the content of the MIME part within the body of the message when viewed rather than provide a link as an attachment. This can be used, for example, to play music while the recipient reads the e-mail. The MIME part also specifies the filename for the MIME part. I have seen inline MIME parts whose content was something *other* than the filetype specified. For example, you could get a script encoded in the MIME part that was declared a .jpg filetype which was disposition=inline (so all the protection of multiple prompts to save the attachment are bypassed).
The only way that I can think of to avoid this covert delivery of content that is different than filetype specified by a MIME part would be to:
1 - Force all inline MIME parts to change their disposition to "attach" so they become attachments and will never get rendered within the message.
2 - Sniff the contents of the MIME part to see if it indeed matched the filetype declared for the MIME part. The MIME part is interrogated enough to determine what should be its filetype. This would require a large number of content handlers so many types of content could be sniffed to determine if they were scripts, executables, JPG images, .doc files, or whatever.
Method 1 would cause all sorts of problems amongst good senders that want to use inline MIME content. It would also violate the RFCs in corrupting e-mail content to obviate the use of inline MIME content. There are good uses for inline MIME content, but it can be abused. Method 2 requires lots of content handlers to deciper the filetype when interrogating the encoded content of a MIME part, and as a consequence adds overhead and slows rendering of the message. In Windows XP SP-2 (which, remember, is still *beta*), it looks like MIME sniffing gets added (which is part of the security zones so it is not just an IE fix, so Outlook and OE should benefit, too); see http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx and search on "sniff" or read the section "Zone Settings for MIME Sniffing".
Do any of the other "better" browsers already provide their own MIME sniffing? If so, is there a list of what filetypes they have handlers for (so we users really know how effective is their sniffing by knowing the range of filetype handlers they can use)? If none of the other claimed better browsers included MIME sniffing on their own then they are just as vulnerable (i.e., they are in the same leaky boat as IE).
Is it possible to infect your computer with a virus through webmail?
While there are vulnerabilities when using IE to browse web sites, I doubt Yahoo's web pages incorporate nasty content. If you are worried, disable ActiveX and scripting in the Internet security zone (or set them to Prompt). For sites that you trust, and if you set ActiveX and scripting to Prompt, and if you get tired of answering the prompts for sites that you trust, put them in the Trusted security zone.
Make sure the security zone configured in your e-mail client uses the Restricted Sites security zone, and that the Restricted Sites security zone is configured for its High setting. None of the security zones will block linked images which can be used for web bugs. I use SpamPal and its HTML-Modify plug-in to eradicate linked images (along with other nasty HTML content). Good senders should be embedding images (i.e., inline) in their messages (if images are even needed).
There does seem a vulnerability in all browsers regarding an encoded inline MIME part that delivers executable code but declares a different filetype. You get an e-mail. It has a MIME part. Its disposition is "inline" which means the client is supposed to render the content of the MIME part within the body of the message when viewed rather than provide a link as an attachment. This can be used, for example, to play music while the recipient reads the e-mail. The MIME part also specifies the filename for the MIME part. I have seen inline MIME parts whose content was something *other* than the filetype specified. For example, you could get a script encoded in the MIME part that was declared a .jpg filetype which was disposition=inline (so all the protection of multiple prompts to save the attachment are bypassed).
The only way that I can think of to avoid this covert delivery of content that is different than filetype specified by a MIME part would be to:
1 - Force all inline MIME parts to change their disposition to "attach" so they become attachments and will never get rendered within the message.
2 - Sniff the contents of the MIME part to see if it indeed matched the filetype declared for the MIME part. The MIME part is interrogated enough to determine what should be its filetype. This would require a large number of content handlers so many types of content could be sniffed to determine if they were scripts, executables, JPG images, .doc files, or whatever.
Method 1 would cause all sorts of problems amongst good senders that want to use inline MIME content. It would also violate the RFCs in corrupting e-mail content to obviate the use of inline MIME content. There are good uses for inline MIME content, but it can be abused. Method 2 requires lots of content handlers to deciper the filetype when interrogating the encoded content of a MIME part, and as a consequence adds overhead and slows rendering of the message. In Windows XP SP-2 (which, remember, is still *beta*), it looks like MIME sniffing gets added (which is part of the security zones so it is not just an IE fix, so Outlook and OE should benefit, too); see http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx and search on "sniff" or read the section "Zone Settings for MIME Sniffing".
Do any of the other "better" browsers already provide their own MIME sniffing? If so, is there a list of what filetypes they have handlers for (so we users really know how effective is their sniffing by knowing the range of filetype handlers they can use)? If none of the other claimed better browsers included MIME sniffing on their own then they are just as vulnerable (i.e., they are in the same leaky boat as IE).
N
null
Do any of the other "better" browsers already provide their own MIME sniffing? If so, is there a list of what filetypes they have handlers for (so we users really know how effective is their sniffing by knowing the range of filetype handlers they can use)? If none of the other claimed better browsers included MIME sniffing on their own then they are just as vulnerable (i.e., they are in the same leaky boat as IE).
You can can spend many fun packed hours following up on leads provided
by Googling:
Mozilla mime sniffing
Firefox mime sniffing
Opera mime sniffing
Art
http://www.epix.net/~artnpeg
V
*Vanguard*
(e-mail address removed) said in news:[email protected]:
Well, I decided to do a quick search at the source. For Mozilla, I didn't find much except http://www.mozilla.org/docs/web-developer/mimetypes.html where it speaks of MIME content sniffing now used in the latest released version 1.7 for Mozilla which was released only a month ago on June 17. Okay, so Mozilla beat Windows XP SP-2 by a few months (still don't know with WinXP SP-2 will be out but I'm guessing a few months more). At what version of Mozilla did the code branch off for Firefox? I didn't find anything that said Firefox does MIME sniffing, so maybe Firefox's code branched off from Mozilla 1.6's code (which didn't have MIME sniffing). I saw mention of an Opera-like plug-in for Firefox 0.8 to add MIME sniffing (but no link to it). Don't know if Firefox 0.9 included it but I'll wait until it isn't a "technical *preview*" (aka beta) version.
You can can spend many fun packed hours following up on leads provided
by Googling:
Mozilla mime sniffing
Firefox mime sniffing
Opera mime sniffing
Art
http://www.epix.net/~artnpeg
Well, I decided to do a quick search at the source. For Mozilla, I didn't find much except http://www.mozilla.org/docs/web-developer/mimetypes.html where it speaks of MIME content sniffing now used in the latest released version 1.7 for Mozilla which was released only a month ago on June 17. Okay, so Mozilla beat Windows XP SP-2 by a few months (still don't know with WinXP SP-2 will be out but I'm guessing a few months more). At what version of Mozilla did the code branch off for Firefox? I didn't find anything that said Firefox does MIME sniffing, so maybe Firefox's code branched off from Mozilla 1.6's code (which didn't have MIME sniffing). I saw mention of an Opera-like plug-in for Firefox 0.8 to add MIME sniffing (but no link to it). Don't know if Firefox 0.9 included it but I'll wait until it isn't a "technical *preview*" (aka beta) version.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.