PC could be infected without opening an infected mail?!

Looking for confirmation of the following:

Heard somewhere that one could infect a PC just by viewing a mail message
containing malicious code, "in the lower pane", even without "opening" it or
execute its attachment.

Is it true? Any comments are appreciated.

Thanks and have a nice weekend.

Doug Fox

Doug Fox wrote:

> Looking for confirmation of the following:
>
> Heard somewhere that one could infect a PC just by viewing a mail message
> containing malicious code, "in the lower pane", even without "opening" it or
> execute its attachment.
>
> Is it true? Any comments are appreciated.


Absolutely true. At least if your Outlook Express/IE is not totally up
to date with security patches. When you view a message just in the
preview pane, it *is* "opening" the message.

Some exploits use a vulnerability in OE/IE to trick it into executing
code automatically. (such as mucking with the MIME type of an
attachment, for example)


-WD

Will Dormann

In terms of prevention, in addition to "patch" the holes using Windows
Update. What else can we do in this regards?

Thanks again.


"Will Dormann" <> wrote in message
news:HeT%b.16697$...
> Doug Fox wrote:
>
> > Looking for confirmation of the following:
> >
> > Heard somewhere that one could infect a PC just by viewing a mail
message
> > containing malicious code, "in the lower pane", even without "opening"
it or
> > execute its attachment.
> >
> > Is it true? Any comments are appreciated.
>
>
> Absolutely true. At least if your Outlook Express/IE is not totally up
> to date with security patches. When you view a message just in the
> preview pane, it *is* "opening" the message.
>
> Some exploits use a vulnerability in OE/IE to trick it into executing
> code automatically. (such as mucking with the MIME type of an
> attachment, for example)
>
>
> -WD

Doug Fox

In article <sTS%b.38086$ ogers.com>,
says...
> Looking for confirmation of the following:
>
> Heard somewhere that one could infect a PC just by viewing a mail message
> containing malicious code, "in the lower pane", even without "opening" it or
> execute its attachment.
>
> Is it true? Any comments are appreciated.
>
> Thanks and have a nice weekend.
>
>
>

My email program (Pegasus) does not execute HTML *if* it requires
visiting a website. It instead gives a warning that the html delivered
in the message contains "lazy HTML" - which presents a security risk
because you must visit the web site to get it. Pegasus says you should
be very careful about overriding the warning and proceeding. So, if you
can read the message in Outlook Express it's already too late.

Once you are on the website you are subject to ActiveX scripts that may
be there - and executed by your Outlook Express or Internet Explorer.

I am very negative about ActiveX. I only use Internet Explorer to get
the Windows Updates (I have Microsoft in the "trusted zone" with full
ActiveX). There is no alternative there. Microsoft won't let you
download the patches with another browser. Otherwise I have ActiveX
turned OFF (completely disabled). The security risks from destructive
scripts are severe. I also deleted the VBS and VBE extensions from the
"list" of extensions my Win2K system recognizes.

I use Mozilla Firebird for normal web browsing and Pegasus Mail for
email. Both are free (and better software even leaving aside the
security issues).

ActiveX? Just say no.

John

"Doug Fox" <> wrote in message
news:7AT%b.38684$ e.rogers.com...
> In terms of prevention, in addition to "patch" the holes using Windows
> Update. What else can we do in this regards?
>
> Thanks again.
>
>
Several things: First make sure you do have all the MS updates. Second put
OE security zone in the Restricted Zone and third go to the Restriced Zone
and turn off or disable all items. That should pretty much help keep OE
safe. As always you should also run a competent and updated Anti-Virus app.
There is also an option in OE for reading email in text only which will also
elimate any HTML threats.

Jbob

"Doug Fox" <> wrote in
news:7AT%b.38684$ e.rogers.com:

> In terms of prevention, in addition to "patch" the holes using Windows
> Update. What else can we do in this regards?

How about just saying "no" to Outlook Express? There are far better
programs for mail that are much more secure.

donutbandit

Doug Fox wrote:

> In terms of prevention, in addition to "patch" the holes using Windows
> Update. What else can we do in this regards?


Sure. Don't use IE/OE. They are ridiculously insecure.

Mozilla Firefox and Thunderbird make excellent replacements for them.



-WD

Will Dormann

"Doug Fox" <> wrote in message
news:7AT%b.38684$ e.rogers.com...
> In terms of prevention, in addition to "patch" the holes using Windows
> Update. What else can we do in this regards?

http://www.codecutters.org/outlook/

The specific problem is, I'd guess, the IFRAME exploit that should have been
patched a *long* time ago.

Opting to view all messages as plain text (at the bottom of the page)
eliminates this problem as long as you don't attempt to forward the message.

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

> "Will Dormann" <> wrote in message
> news:HeT%b.16697$...
> > Doug Fox wrote:
> >
> > > Looking for confirmation of the following:
> > >
> > > Heard somewhere that one could infect a PC just by viewing a mail
> message
> > > containing malicious code, "in the lower pane", even without "opening"
> it or
> > > execute its attachment.
> > >
> > > Is it true? Any comments are appreciated.
> >
> >
> > Absolutely true. At least if your Outlook Express/IE is not totally up
> > to date with security patches. When you view a message just in the
> > preview pane, it *is* "opening" the message.
> >
> > Some exploits use a vulnerability in OE/IE to trick it into executing
> > code automatically. (such as mucking with the MIME type of an
> > attachment, for example)
> >
> >
> > -WD
>
>

Hairy One Kenobi

Doug Fox spilled my beer when they jumped on the table and proclaimed in
<sTS%b.38086$ ogers.com>

> Looking for confirmation of the following:
>
> Heard somewhere that one could infect a PC just by viewing a mail message
> containing malicious code, "in the lower pane", even without "opening" it
> or execute its attachment.
>
> Is it true? Any comments are appreciated.
>
> Thanks and have a nice weekend.

IIRC, Klez was the first that did this. Of course if Outlook Express/OS is
properly patched, it neuters that particular problem.

NOI

Thund3rstruck_N0i

On 28 Feb 2004 05:28:36 GMT, donutbandit <>, whilst in the
alt.computer.security newsfroup, articulated the following sentiments :

>"Doug Fox" <> wrote in
>news:7AT%b.38684$ le.rogers.com:
>
>> In terms of prevention, in addition to "patch" the holes using Windows
>> Update. What else can we do in this regards?
>
>How about just saying "no" to Outlook Express? There are far better
>programs for mail that are much more secure.

I've personally always used Agent for mail and news.

http://www.forteinc.com/main/homepage.php

Super fast, rock solid and a good alternative to OE for those that desire
it. Version 2 now ready for download.

Is that spammy ? Sorry.

Imagine what they'll be doing by the time *they* get to version 6.

Regs, Pete.

Gladys Pump