Can you get a virus/worm just from reading Yahoo mail?

It's been said that when using web-based email (such as Yahoo), you
can get a virus or worm on your computer just by reading email if the
email contains malicious HTML code, even if you never request for any
attachments to be loaded. Is this really true?

If yes, how can this be prevented?
Theoretically, you should have all your email read strictly as plain
text. Yahoo has the option to "block HTML graphics" but that's not the
same as reading email in plain text.

To cite an actual situation, consider the emails generated by the SWEN
worm (the ones that pretend to be Microsoft patches). There seem to be
two variations of email sent out. One type consists of an email
message written in HTML (including graphics) persuading you to load
the attachment below it. The other variation is just a message about
some undeliverable email, but doesn't seem to have any attachment.
However, it still takes up about 150K in space! Does this mean that
there was a hidden payload that gets secretly loaded just from reading
the message?

wylbur37

wylbur37 wrote:

> It's been said that when using web-based email (such as Yahoo), you
> can get a virus or worm on your computer just by reading email if the
> email contains malicious HTML code, even if you never request for any
> attachments to be loaded. Is this really true?

Sure. Especially if you use an insecure browser, such as IE.

> If yes, how can this be prevented?
> Theoretically, you should have all your email read strictly as plain
> text. Yahoo has the option to "block HTML graphics" but that's not the
> same as reading email in plain text.

Use something other than IE. Opera, or Mozilla Firebird (my favorite).



-WD

Will Dormann

On 14 Nov 2003 05:03:19 -0800, (wylbur37)
wrote:

>It's been said that when using web-based email (such as Yahoo), you
>can get a virus or worm on your computer just by reading email if the
>email contains malicious HTML code, even if you never request for any
>attachments to be loaded. Is this really true?

Yes
>
>If yes, how can this be prevented?

Don't use Internet Explorer. Turn off Java and Javascript on other
browsers, just to be sure.

>Theoretically, you should have all your email read strictly as plain
>text. Yahoo has the option to "block HTML graphics" but that's not the
>same as reading email in plain text.
>
>To cite an actual situation, consider the emails generated by the SWEN
>worm (the ones that pretend to be Microsoft patches). There seem to be
>two variations of email sent out. One type consists of an email
>message written in HTML (including graphics) persuading you to load
>the attachment below it. The other variation is just a message about
>some undeliverable email, but doesn't seem to have any attachment.
>However, it still takes up about 150K in space! Does this mean that
>there was a hidden payload that gets secretly loaded just from reading
>the message?

The latter are bounce messages from servers operated by stupid or lazy
administrators - they are supposed to inform the sender of an e-mail
virus that he/she needs to clean the machine, and would therefore be
part of the solution; but since the current worms fake the from field,
the messages just confuse the (innocent) recipient and consume disk
space, and are therefore part of the problem. Good amninistrators
have noticed this and turned them off.



T.E.D. ()
SPAM filter: Messages to this address *must* contain "T.E.D."
somewhere in the body or they will be automatically rejected.

Ted Davis

Isn't it nessacairy to have java and javascript on to load some pages? Like
a forum or something?

I would love to turn off javascript, they're just irritating and load my
machine so Winamp lags.

:-0
"wylbur37" <> skrev i melding
news: m...
> It's been said that when using web-based email (such as Yahoo), you
> can get a virus or worm on your computer just by reading email if the
> email contains malicious HTML code, even if you never request for any
> attachments to be loaded. Is this really true?
>
> If yes, how can this be prevented?
> Theoretically, you should have all your email read strictly as plain
> text. Yahoo has the option to "block HTML graphics" but that's not the
> same as reading email in plain text.
>
> To cite an actual situation, consider the emails generated by the SWEN
> worm (the ones that pretend to be Microsoft patches). There seem to be
> two variations of email sent out. One type consists of an email
> message written in HTML (including graphics) persuading you to load
> the attachment below it. The other variation is just a message about
> some undeliverable email, but doesn't seem to have any attachment.
> However, it still takes up about 150K in space! Does this mean that
> there was a hidden payload that gets secretly loaded just from reading
> the message?

Lars-Erik

{posted from comp.mail.misc}

On Fri, 14 Nov 2003, Lars-Erik wrote:

> Isn't it nessacairy to have java and javascript on to load some pages? Like
> a forum or something?
>
> I would love to turn off javascript, they're just irritating and load my
> machine so Winamp lags.

Some sites require javascript (and even cookies) to function
properly beyond merely display. For example, my public library offers
various services; however -- no javascript and cookies, no services. It
is up to the user whether to decide to turn n on javascript and cookies
or. It comes down to, what is it worth to you to access certain sites
and the services they off?

--
Paul Bartlett
bartlett at smart.net
PGP key info in message headers

Paul O. BARTLETT

You can put selected sites (such as mail.yahoo.com) in the restricted security zone which
disables some features. You can control which features are disabled (e.g. scripting and
Java, or whether if a web site tries to use a feature if you should be prompted for
approval.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm


"Lars-Erik" <> wrote in message
news:QJ6tb.6510$...
> Isn't it nessacairy to have java and javascript on to load some pages? Like
> a forum or something?
>
> I would love to turn off javascript, they're just irritating and load my
> machine so Winamp lags.
>
> :-0
> "wylbur37" <> skrev i melding
> news: m...
> > It's been said that when using web-based email (such as Yahoo), you
> > can get a virus or worm on your computer just by reading email if the
> > email contains malicious HTML code, even if you never request for any
> > attachments to be loaded. Is this really true?
> >
> > If yes, how can this be prevented?
> > Theoretically, you should have all your email read strictly as plain
> > text. Yahoo has the option to "block HTML graphics" but that's not the
> > same as reading email in plain text.
> >
> > To cite an actual situation, consider the emails generated by the SWEN
> > worm (the ones that pretend to be Microsoft patches). There seem to be
> > two variations of email sent out. One type consists of an email
> > message written in HTML (including graphics) persuading you to load
> > the attachment below it. The other variation is just a message about
> > some undeliverable email, but doesn't seem to have any attachment.
> > However, it still takes up about 150K in space! Does this mean that
> > there was a hidden payload that gets secretly loaded just from reading
> > the message?
>
>

Michael Santovec

You can put selected sites (such as mail.yahoo.com) in the restricted security zone which
disables some features. You can control which features are disabled (e.g. scripting and
Java, or whether if a web site tries to use a feature if you should be prompted for
approval.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm


"wylbur37" <> wrote in message
news: m...
> It's been said that when using web-based email (such as Yahoo), you
> can get a virus or worm on your computer just by reading email if the
> email contains malicious HTML code, even if you never request for any
> attachments to be loaded. Is this really true?
>
> If yes, how can this be prevented?
> Theoretically, you should have all your email read strictly as plain
> text. Yahoo has the option to "block HTML graphics" but that's not the
> same as reading email in plain text.
>
> To cite an actual situation, consider the emails generated by the SWEN
> worm (the ones that pretend to be Microsoft patches). There seem to be
> two variations of email sent out. One type consists of an email
> message written in HTML (including graphics) persuading you to load
> the attachment below it. The other variation is just a message about
> some undeliverable email, but doesn't seem to have any attachment.
> However, it still takes up about 150K in space! Does this mean that
> there was a hidden payload that gets secretly loaded just from reading
> the message?

Michael Santovec

wylbur37 wrote:
>
> If yes, how can this be prevented?

Use non-MS apps.



--
http://www.bootdisk.com/

Plato