Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Can you get a virus/worm just from reading Yahoo mail?

Reply
Thread Tools

Can you get a virus/worm just from reading Yahoo mail?

 
 
wylbur37
Guest
Posts: n/a
 
      11-14-2003
It's been said that when using web-based email (such as Yahoo), you
can get a virus or worm on your computer just by reading email if the
email contains malicious HTML code, even if you never request for any
attachments to be loaded. Is this really true?

If yes, how can this be prevented?
Theoretically, you should have all your email read strictly as plain
text. Yahoo has the option to "block HTML graphics" but that's not the
same as reading email in plain text.

To cite an actual situation, consider the emails generated by the SWEN
worm (the ones that pretend to be Microsoft patches). There seem to be
two variations of email sent out. One type consists of an email
message written in HTML (including graphics) persuading you to load
the attachment below it. The other variation is just a message about
some undeliverable email, but doesn't seem to have any attachment.
However, it still takes up about 150K in space! Does this mean that
there was a hidden payload that gets secretly loaded just from reading
the message?
 
Reply With Quote
 
 
 
 
Will Dormann
Guest
Posts: n/a
 
      11-14-2003
wylbur37 wrote:

> It's been said that when using web-based email (such as Yahoo), you
> can get a virus or worm on your computer just by reading email if the
> email contains malicious HTML code, even if you never request for any
> attachments to be loaded. Is this really true?


Sure. Especially if you use an insecure browser, such as IE.

> If yes, how can this be prevented?
> Theoretically, you should have all your email read strictly as plain
> text. Yahoo has the option to "block HTML graphics" but that's not the
> same as reading email in plain text.


Use something other than IE. Opera, or Mozilla Firebird (my favorite).



-WD

 
Reply With Quote
 
 
 
 
Ted Davis
Guest
Posts: n/a
 
      11-14-2003
On 14 Nov 2003 05:03:19 -0800, http://www.velocityreviews.com/forums/(E-Mail Removed) (wylbur37)
wrote:

>It's been said that when using web-based email (such as Yahoo), you
>can get a virus or worm on your computer just by reading email if the
>email contains malicious HTML code, even if you never request for any
>attachments to be loaded. Is this really true?


Yes
>
>If yes, how can this be prevented?


Don't use Internet Explorer. Turn off Java and Javascript on other
browsers, just to be sure.

>Theoretically, you should have all your email read strictly as plain
>text. Yahoo has the option to "block HTML graphics" but that's not the
>same as reading email in plain text.
>
>To cite an actual situation, consider the emails generated by the SWEN
>worm (the ones that pretend to be Microsoft patches). There seem to be
>two variations of email sent out. One type consists of an email
>message written in HTML (including graphics) persuading you to load
>the attachment below it. The other variation is just a message about
>some undeliverable email, but doesn't seem to have any attachment.
>However, it still takes up about 150K in space! Does this mean that
>there was a hidden payload that gets secretly loaded just from reading
>the message?


The latter are bounce messages from servers operated by stupid or lazy
administrators - they are supposed to inform the sender of an e-mail
virus that he/she needs to clean the machine, and would therefore be
part of the solution; but since the current worms fake the from field,
the messages just confuse the (innocent) recipient and consume disk
space, and are therefore part of the problem. Good amninistrators
have noticed this and turned them off.



T.E.D. ((E-Mail Removed))
SPAM filter: Messages to this address *must* contain "T.E.D."
somewhere in the body or they will be automatically rejected.
 
Reply With Quote
 
Lars-Erik
Guest
Posts: n/a
 
      11-14-2003
Isn't it nessacairy to have java and javascript on to load some pages? Like
a forum or something?

I would love to turn off javascript, they're just irritating and load my
machine so Winamp lags.

:-0
"wylbur37" <(E-Mail Removed)> skrev i melding
news:(E-Mail Removed) m...
> It's been said that when using web-based email (such as Yahoo), you
> can get a virus or worm on your computer just by reading email if the
> email contains malicious HTML code, even if you never request for any
> attachments to be loaded. Is this really true?
>
> If yes, how can this be prevented?
> Theoretically, you should have all your email read strictly as plain
> text. Yahoo has the option to "block HTML graphics" but that's not the
> same as reading email in plain text.
>
> To cite an actual situation, consider the emails generated by the SWEN
> worm (the ones that pretend to be Microsoft patches). There seem to be
> two variations of email sent out. One type consists of an email
> message written in HTML (including graphics) persuading you to load
> the attachment below it. The other variation is just a message about
> some undeliverable email, but doesn't seem to have any attachment.
> However, it still takes up about 150K in space! Does this mean that
> there was a hidden payload that gets secretly loaded just from reading
> the message?



 
Reply With Quote
 
Paul O. BARTLETT
Guest
Posts: n/a
 
      11-14-2003
{posted from comp.mail.misc}

On Fri, 14 Nov 2003, Lars-Erik wrote:

> Isn't it nessacairy to have java and javascript on to load some pages? Like
> a forum or something?
>
> I would love to turn off javascript, they're just irritating and load my
> machine so Winamp lags.


Some sites require javascript (and even cookies) to function
properly beyond merely display. For example, my public library offers
various services; however -- no javascript and cookies, no services. It
is up to the user whether to decide to turn n on javascript and cookies
or. It comes down to, what is it worth to you to access certain sites
and the services they off?

--
Paul Bartlett
bartlett at smart.net
PGP key info in message headers

 
Reply With Quote
 
Michael Santovec
Guest
Posts: n/a
 
      11-15-2003
You can put selected sites (such as mail.yahoo.com) in the restricted security zone which
disables some features. You can control which features are disabled (e.g. scripting and
Java, or whether if a web site tries to use a feature if you should be prompted for
approval.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm


"Lars-Erik" <(E-Mail Removed)> wrote in message
news:QJ6tb.6510$(E-Mail Removed)...
> Isn't it nessacairy to have java and javascript on to load some pages? Like
> a forum or something?
>
> I would love to turn off javascript, they're just irritating and load my
> machine so Winamp lags.
>
> :-0
> "wylbur37" <(E-Mail Removed)> skrev i melding
> news:(E-Mail Removed) m...
> > It's been said that when using web-based email (such as Yahoo), you
> > can get a virus or worm on your computer just by reading email if the
> > email contains malicious HTML code, even if you never request for any
> > attachments to be loaded. Is this really true?
> >
> > If yes, how can this be prevented?
> > Theoretically, you should have all your email read strictly as plain
> > text. Yahoo has the option to "block HTML graphics" but that's not the
> > same as reading email in plain text.
> >
> > To cite an actual situation, consider the emails generated by the SWEN
> > worm (the ones that pretend to be Microsoft patches). There seem to be
> > two variations of email sent out. One type consists of an email
> > message written in HTML (including graphics) persuading you to load
> > the attachment below it. The other variation is just a message about
> > some undeliverable email, but doesn't seem to have any attachment.
> > However, it still takes up about 150K in space! Does this mean that
> > there was a hidden payload that gets secretly loaded just from reading
> > the message?

>
>



 
Reply With Quote
 
Michael Santovec
Guest
Posts: n/a
 
      11-15-2003
You can put selected sites (such as mail.yahoo.com) in the restricted security zone which
disables some features. You can control which features are disabled (e.g. scripting and
Java, or whether if a web site tries to use a feature if you should be prompted for
approval.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm


"wylbur37" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> It's been said that when using web-based email (such as Yahoo), you
> can get a virus or worm on your computer just by reading email if the
> email contains malicious HTML code, even if you never request for any
> attachments to be loaded. Is this really true?
>
> If yes, how can this be prevented?
> Theoretically, you should have all your email read strictly as plain
> text. Yahoo has the option to "block HTML graphics" but that's not the
> same as reading email in plain text.
>
> To cite an actual situation, consider the emails generated by the SWEN
> worm (the ones that pretend to be Microsoft patches). There seem to be
> two variations of email sent out. One type consists of an email
> message written in HTML (including graphics) persuading you to load
> the attachment below it. The other variation is just a message about
> some undeliverable email, but doesn't seem to have any attachment.
> However, it still takes up about 150K in space! Does this mean that
> there was a hidden payload that gets secretly loaded just from reading
> the message?



 
Reply With Quote
 
Plato
Guest
Posts: n/a
 
      11-15-2003
wylbur37 wrote:
>
> If yes, how can this be prevented?


Use non-MS apps.



--
http://www.bootdisk.com/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RE;Kontki if you delete kontiki any program you loaded with it in it 'will not work I have tried it with three programs and none work anymore (if you se it just stop download) 1-Twitch Computer Support 5 04-23-2009 02:45 PM
So You Think You’re Reading - No Dear You’re Screening,,,,, danbloom Digital Photography 2 03-02-2009 03:31 AM
cant get read yahoo mail with bt yahoo as the isp STUART SWANSTON Computer Support 0 12-09-2003 01:16 PM
Javascript can get time, can it get milliseconds, or actually just tenths of seconds? Guy Javascript 2 12-05-2003 04:00 PM
Can you get a virus/worm just from reading Yahoo mail? wylbur37 Computer Support 7 11-15-2003 01:58 AM



Advertisments