Email horror!

[Sol]

Hi there.

I use Internet Explorer 6 (sp1, yada) and Outlook Express 6 for
browsing and email. I keep IE's "Internet Zone" security stringently
configured and have OE configured to use the "Internet Zone's" security
settings. I haven't had a malware infection since I can remember, but
I'm worried about something. I'm paranoid (in ways) when it comes to
security, so I was wondering if anyone could tell me whether or not OE
ACTUALLY depends on IE's settings for its security, or if, for example,
there's a possibility that malicious active content in an email can
still run (whereas I have IE set to reject all active content in web
pages)?

Maybe I should make the question a little broader: is HTML email
dangerous in general, or only when active content is allowed? If it's
only dangerous when active content is allowed, can OE truly be
configured to reject active content? Or will I need to use something
else, such as Thunderbird?

(I'm ignoring the dangers of email attachments for this discussion,
BTW.)

Thanks many times over (in advance) for your help.

 

[David H. Lipman]

From: "Sol" <[email protected]>

| Hi there.
|
| I use Internet Explorer 6 (sp1, yada) and Outlook Express 6 for
| browsing and email. I keep IE's "Internet Zone" security stringently
| configured and have OE configured to use the "Internet Zone's" security
| settings. I haven't had a malware infection since I can remember, but
| I'm worried about something. I'm paranoid (in ways) when it comes to
| security, so I was wondering if anyone could tell me whether or not OE
| ACTUALLY depends on IE's settings for its security, or if, for example,
| there's a possibility that malicious active content in an email can
| still run (whereas I have IE set to reject all active content in web
| pages)?
|
| Maybe I should make the question a little broader: is HTML email
| dangerous in general, or only when active content is allowed? If it's
| only dangerous when active content is allowed, can OE truly be
| configured to reject active content? Or will I need to use something
| else, such as Thunderbird?
|
| (I'm ignoring the dangers of email attachments for this discussion,
| BTW.)
|
| Thanks many times over (in advance) for your help.

Since OE uses IE's HTML renderer and there are so many vulnerabilities that have been
patched and exploited and some vulnerabilities that remain unpatched, there is a slim chance
of receiving a well crafted HTML exploit based email. That is why I use Pegasus Mail and I
always like to use HTML/Rich Text email and P-Mail's limited rendering of HTML makes it much
safer to use than OE. { Not to mention it has much better spam tools }

 

[Sol]

I use Pegasus Mail and I always like to use HTML/Rich Text email and P-Mail's > limited rendering of HTML makes it much safer to use than OE.

Well... I took Pegasus Mail for a test drive, but I can't say I really
like the UI. I like Thunderbird--how does it stack up? (I've heard
some information to the effect that Mozilla-derived software is
insecure, but I'm guessing that's FUD.) Or is there nothing comparable
to P Mail?

Thanks a million.

Cheers.

 

[YoKenny]

Hi there.

I use Internet Explorer 6 (sp1, yada) and Outlook Express 6 for
browsing and email. I keep IE's "Internet Zone" security stringently
configured and have OE configured to use the "Internet Zone's"
security settings. I haven't had a malware infection since I can
remember, but I'm worried about something. I'm paranoid (in ways)
when it comes to security, so I was wondering if anyone could tell me
whether or not OE ACTUALLY depends on IE's settings for its security,
or if, for example, there's a possibility that malicious active
content in an email can still run (whereas I have IE set to reject
all active content in web pages)?

Maybe I should make the question a little broader: is HTML email
dangerous in general, or only when active content is allowed? If it's
only dangerous when active content is allowed, can OE truly be
configured to reject active content? Or will I need to use something
else, such as Thunderbird?

(I'm ignoring the dangers of email attachments for this discussion,
BTW.)

Thanks many times over (in advance) for your help.

OE does use and depends on IE's security settings so will nor render HTML
and therefore will not display pictures pointed to in HTML messages.

Insure that OE is configured to Send and Receive in Plain Text Only and also
that for Reply to respond only in Plain Text Only and not the default of
replying in the same format as the original message.

 

[Art]

Well... I took Pegasus Mail for a test drive, but I can't say I really
like the UI. I like Thunderbird--how does it stack up? (I've heard
some information to the effect that Mozilla-derived software is
insecure, but I'm guessing that's FUD.) Or is there nothing comparable
to P Mail?

They've both had critical vulnerabilites fixed, and nobody knows when
more will be found. There's no such thing as bullet proof software.

That said, T-Bird is a excellent choice. Just leave the default
setting of having scripting disabled. Like Pegasus, T-Bird won't
allow the user to Run email attackments.

I'd be far more worried about your use of IE. You should really only
use it for updating Windows security patches, and for known trusted
web sites. Make Firefox or Opera your default browser. That way you
are far safer with clickable links in email and newsgroups as well.

If you haven't checked out Opera, give it a try. It's measurably
faster in most cases than other browsers, and it has a decent
history when it comes to flaws and vulnerabilites.

Art
http://home.epix.net/~artnpeg

 

[Sol]

There's no such thing as bullet proof software.

I know and agree. I seek the software that stops the most bullets the
most of the time. =)

I'd be far more worried about your use of IE. You should really only
use it for updating Windows security patches, and for known trusted
web sites. Make Firefox or Opera your default browser. That way you
are far safer with clickable links in email and newsgroups as well.

I custom configured all my IE "Internet Zone" security settings so that
no content at all--at least that which IE gives you options to enable
or disable--is permitted to run by default (since all sites are, by
definition, in the "Internet Zone") unless I say otherwise (by adding
the site in question to my "Trusted Zone"). I can say for a certainty
that my browsing speed has noticeably increased as a consequence (YMMV)
and I see next to no popups (and only on sites that I put in the
"Trusted Zone"). No antimalware scan I've run has picked up anything
on any of my machines (and I've run multiple scans over a long period
of time). Now, to be fair, I don't often browse to sites that would
appear to host malicious active content, but I don't fear to click on a
seemingly shady link if it applies to what I'm browsing for, so I
believe I can say *sometimes* I expose myself to bad webcode.

Now, if you're saying that something above and beyond all that
exists--such as some IE vulnerability that could penetrate my security
settings, my watchfulness with email attachments and downloads (esp.
freeware and shadyware), my being situated behind a properly configured
CISCO 806 SOHO router / firewall, and my general skepticism about
anything that looks suspicious--then please, let me know! To be
honest, the only reason I use IE is because 1) I like its UI; 2) it
comes bundled with Windows and I don't like having to install a
different browser; 3) I've been under the impression that, at least as
far as web browsers are concerned, active content in web sites
themselves was the only vector of attack that you are exposed to simply
by using a particular browser.

To clarify that last statement, say browser X supports ActiveX, but
browser Y doesn't. Obviously, ActiveX code (malicious or otherwise)
will only run on browser X; however, that doesn't stop browser Y from
being compromised due to malware already present on the machine it's
being run from (gotten from, say, a trojan that a user downloaded in
ignorance).

Now, that's just what I thought; if I'm wrong, please tell me!

I mean, if there's something intrinsically wrong with IE--if I can't
trust that, for example, disabling "Run ActiveX Controls and Plugins"
ACTUALLY prevents ActiveX controls and plugins from running--then I've
been laboring under a misunderstanding and would greatly appreciate
being set right!

On the other hand, if IE is safe enough when properly configured and
you thought I meant something else, or you're just biased against IE (a
sentiment I understand though I don't practice it =) please let me
know anyway so that I don't worry about this. =)

Thanks for your input!

Cheers!

 

[Art]

I know and agree. I seek the software that stops the most bullets the
most of the time. =)


I custom configured all my IE "Internet Zone" security settings so that
no content at all--at least that which IE gives you options to enable
or disable--is permitted to run by default (since all sites are, by
definition, in the "Internet Zone") unless I say otherwise (by adding
the site in question to my "Trusted Zone"). I can say for a certainty
that my browsing speed has noticeably increased as a consequence (YMMV)
and I see next to no popups (and only on sites that I put in the
"Trusted Zone"). No antimalware scan I've run has picked up anything
on any of my machines (and I've run multiple scans over a long period
of time). Now, to be fair, I don't often browse to sites that would
appear to host malicious active content, but I don't fear to click on a
seemingly shady link if it applies to what I'm browsing for, so I
believe I can say *sometimes* I expose myself to bad webcode.

Now, if you're saying that something above and beyond all that
exists--such as some IE vulnerability that could penetrate my security
settings, my watchfulness with email attachments and downloads (esp.
freeware and shadyware), my being situated behind a properly configured
CISCO 806 SOHO router / firewall, and my general skepticism about
anything that looks suspicious--then please, let me know!

Something above and beyond all that might well exist for any software,
which is why I pointed out that no software should be considered
bullet proof. Buffer overrun vulnerabilities, for example, are
sometimes exploited to place malicious code on a machine and take
control of it.

To be
honest, the only reason I use IE is because 1) I like its UI; 2) it
comes bundled with Windows and I don't like having to install a
different browser; 3) I've been under the impression that, at least as
far as web browsers are concerned, active content in web sites
themselves was the only vector of attack that you are exposed to simply
by using a particular browser.

To clarify that last statement, say browser X supports ActiveX, but
browser Y doesn't. Obviously, ActiveX code (malicious or otherwise)
will only run on browser X; however, that doesn't stop browser Y from
being compromised due to malware already present on the machine it's
being run from (gotten from, say, a trojan that a user downloaded in
ignorance).

Now, that's just what I thought; if I'm wrong, please tell me!

If malicious code takes control, it can do most anything it wants. It
can prevent browsers from acessing security sites, disable antivirus
software and software firewalls (or bypass them), etc.

But that's beside the point here. We're talking prevention and "safe
hex". I hope you're not limiting "active content" scope to just
activex, since it includes javascript and Java as well. You must use
Custom settings and disable all of these in the Internet Zone ... or
set certain ones to prompt (warn) as some knowledgeable users do.
But the prompting might drive you nuts And there are several other
settings in IE related to security which I won't go into here,
especially since I don't recommend using IE.

I mean, if there's something intrinsically wrong with IE--if I can't
trust that, for example, disabling "Run ActiveX Controls and Plugins"
ACTUALLY prevents ActiveX controls and plugins from running--then I've
been laboring under a misunderstanding and would greatly appreciate
being set right!

Two of the many things that have been "intrinsically wrong" with IE
over the years have been:

1. The default Medium security setting of the Internet Zone is highly
dangerous (I know it still is since I tested it recently on a goat
machine).
2. MS has been notoriously slow in fixing known vulnerabilities.

The same haven't been true (and aren't true) of the alternate browsers
even though javascript is enabled by default in them. Yes, they have
their histories of known vulnerabilities as well, but it seems the
developers are far more on the ball when it comes to reacting quickly
and putting out patched versions before any exploits occur in the
wild.

On the other hand, if IE is safe enough when properly configured and
you thought I meant something else, or you're just biased against IE (a
sentiment I understand though I don't practice it =) please let me
know anyway so that I don't worry about this. =)

If you truly keep all active content disabled or have items set to
prompt you should be ok. As I said, I know some security-knowledgeable
users who post here take that approach.

Thanks for your input!

Hope it helps a little.

Cheers!

Cheers

Art
http://home.epix.net/~artnpeg

 

[John Coutts]

I know and agree. I seek the software that stops the most bullets the
most of the time. =)

Cheers!

************ REPLY SEPARATER ************
You appear to be seeking opinions, so I will offer mine. Dealing firstly with
client email programs, I have said from the very early days when Microsoft's
client program was called Exchange, that it is one of the worst programs that I
have ever encountered. Microsoft has improved the program immensely over time,
but unfortunately it is still based on those early attempts. Microsoft's
digress from established standards, its attempt to hide the technical details
from the user, and it's attempt to make the program "do everything", have
created a bloated non-standard program full of potential holes. My objections
to Outlook are mostly technical, although I have never been fond of the user
interface. The easiest way to identify a "phish" is to examine the SMTP
headers, and the gyrations that you have to go through in Outlook is enough to
make me vomit. There are many email client programs that attempt to duplicate
the user interface in Outlook, but the biggest objections I have are the
non-standard message file format, the way it handles attachments, and its use
of HTML. HTML DOES NOT BELONG IN A MESSAGING SYSTEM, but don't get me started
on that one.

On the browser side, I use for the most part Mozilla, but there is the
occasional website that I must use IE. I believe that IE can be made quite
usable, but frankly I got so tired of covering up the holes that I finally
switched and have never looked back. My wife objected to using Mozilla at
first, but now she is very much a promoter of Firefox. I personally can't see
any difference in the user interface. Yes, Java Script can be used to install
malware, but it is much more limited in it's functionality than ActiveX. I do
not have ActiveX disabled on IE because I have Active Scripting set to prompt.
Active Scripting is used to load ActiveX, and yes it is a pain to respond to
all the prompts, but frankly ActiveX is the only reason I have to use IE.

J.A. Coutts

 

[edgewalker]

... The easiest way to identify a "phish" is to examine the SMTP
headers, and the gyrations that you have to go through in Outlook
is enough to make me vomit.

Outlook doesn't support the CTRL F3 key combo?

 

[Sol]

I hope you're not limiting "active content" scope to just
activex, since it includes javascript and Java as well. You must use
Custom settings and disable all of these in the Internet Zone ... or
set certain ones to prompt (warn) as some knowledgeable users do.
But the prompting might drive you nuts And there are several other
settings in IE related to security which I won't go into here,
especially since I don't recommend using IE.

I wasn't very clear. I disable *all* active content: Javascript,
ActiveX, the whole nine yards. I disable every option that IE allows
you to disable under Security and set those that I can't to prompt (or
what have you). Whew. =)

Two of the many things that have been "intrinsically wrong" with IE
over the years have been:

1. The default Medium security setting of the Internet Zone is highly
dangerous (I know it still is since I tested it recently on a goat
machine).

The defaults *are* garbage and, as I've said before, I don't stick with
them at all.

2. MS has been notoriously slow in fixing known vulnerabilities.

I'm really not a fan of Microsoft. I believe Windows and all its
bundled software are basically easy to use (a good thing) but that the
price for MS's version of easy is too high--both up front and in nice
little ways later.

If you truly keep all active content disabled or have items set to
prompt you should be ok. As I said, I know some security-knowledgeable
users who post here take that approach.

Well, that helps put me at ease. I believe open source software is
probably better by definition, but if IE is capable of being "good
enough" then that's all I care about. I just don't want to use
extraneous stuff if I don't need to... I mean, MS makes you look
elsewhere (at least pre-Vista, I hope) for practically EVERYTHING from
disk cloning software to antimalware--can't they at least get the one
program I use most frequently that THEY provide to not bite? =)

Anyhow, when I finally get this Linux business figured out, then I
definetly won't need to care about this issue anymore. =)

Thanks a million.

Cheers!