E-mail Security

Discussion in 'Computer Security' started by 10-4Hokie, Mar 26, 2006.

  1. 10-4Hokie

    10-4Hokie Guest

    There is much talk today about not opening suspicious e-mails (especially in
    HTML format), since there maybe viruses or other malware in them.

    Is using the Outlook 'preview pane' opening an e-mail, or is the e-mail only
    'opened' (and therewith potentially dangerous) when it actually opens a new
    window?

    Thanks.
     
    10-4Hokie, Mar 26, 2006
    #1
    1. Advertising

  2. 10-4Hokie wrote:
    > There is much talk today about not opening suspicious e-mails (especially in
    > HTML format), since there maybe viruses or other malware in them.


    text/html-only is easily filtered out. Cannot be anything good, as the
    necessary text/plain part is missing.

    > Is using the Outlook 'preview pane' opening an e-mail, or is the e-mail only
    > 'opened' (and therewith potentially dangerous) when it actually opens a new
    > window?


    It's already opened in the preview pane.

    Anyway, not even that is needed for exploiting Outlook. Just keep on
    minding about mangled MIME handlers (an AIFF audio with a TIFF image
    icon being run as HTA) and still good bets on unpatched buffer voerflows
    in the header parsing.

    But who would be that stupid using Outlook for eMails?
     
    Sebastian Gottschalk, Mar 26, 2006
    #2
    1. Advertising

  3. 10-4Hokie

    CJ Guest

    10-4Hokie wrote:
    > There is much talk today about not opening suspicious e-mails
    > (especially in HTML format), since there maybe viruses or other
    > malware in them.


    Where have you been for the last few years?

    >
    > Is using the Outlook 'preview pane' opening an e-mail, or is the
    > e-mail only 'opened' (and therewith potentially dangerous) when it
    > actually opens a new window?
    >
    > Thanks.


    For you to be able to see the message, whether in a preview pane (a new
    window) or a 'new window', the message has to be 'opened'.

    You have already answered your own question, and if you needed a second
    opinion you could have asked any search engine.

    CJ
     
    CJ, Mar 26, 2006
    #3
  4. 10-4Hokie

    Don Kelloway Guest

    "10-4Hokie" <> wrote in message
    news:e06vfc$a2e$...
    > There is much talk today about not opening suspicious e-mails (especially
    > in HTML format), since there maybe viruses or other malware in them.
    >
    > Is using the Outlook 'preview pane' opening an e-mail, or is the e-mail
    > only 'opened' (and therewith potentially dangerous) when it actually opens
    > a new window?
    >
    > Thanks.
    >


    Email messages can be composed in several methods; the two most common being
    HTML and Plain Text.

    Email messages sent/composed in Plain Text is never an issue. However the
    vulnerabilities associated with HTML composed email messages are ALWAYS an
    issue. In fact it's NEVER a wise idea to either open an HTML composed email
    message or use the Outlook preview pane option. If you want to be safe, the
    best thing to do is configure your email client to display email messages
    HTML as Plain Text. Granted the HTML composed email will never display
    pretty, but that is the way it is.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Mar 27, 2006
    #4
  5. Don Kelloway wrote:

    > Email messages can be composed in several methods; the two most common being
    > HTML and Plain Text.


    Wrong. eMail is either Content-Type: text/plain or multipart/mime with
    at least one text/plain part. In any case only the content of text/plain
    is relevant text content.

    > If you want to be safe, the
    > best thing to do is configure your email client to display email messages
    > HTML as Plain Text.


    The problem with Outlook (|Express ) is that certain behaviour can
    trigger HTML display. We once spotted a case where replying to a Usenet
    posting containing a simple <hr> triggered the HTML mode, effectively
    displaying a horizontal row. Many other triggers are known, and one HTMl
    rendering with IE's engine is invoked, you've lost.

    > Granted the HTML composed email will never display
    > pretty, but that is the way it is.


    So far my Thunderbird with read_as_plaintext = true will not even render
    HTML-only mails, whereas the normal behaviour is to downconvert to
    plain text or, if configured, strip it down to some very simple
    formatting options.
     
    Sebastian Gottschalk, Mar 27, 2006
    #5
  6. 10-4Hokie

    Don Kelloway Guest

    "Sebastian Gottschalk" <> wrote in message
    news:...
    > Don Kelloway wrote:
    >
    >> Email messages can be composed in several methods; the two most common
    >> being
    >> HTML and Plain Text.

    >
    > Wrong. eMail is either Content-Type: text/plain or multipart/mime with
    > at least one text/plain part. In any case only the content of text/plain
    > is relevant text content.
    >


    Despite what you think email messages within Outlook CAN BE COMPOSED as
    either HTML, Plain Text, Rich Text Format. Click the Format drop-down
    option and select one of the three for yourself.

    >> If you want to be safe, the
    >> best thing to do is configure your email client to display email messages
    >> HTML as Plain Text.

    >
    > The problem with Outlook (|Express ) is that certain behaviour can
    > trigger HTML display. We once spotted a case where replying to a Usenet
    > posting containing a simple <hr> triggered the HTML mode, effectively
    > displaying a horizontal row. Many other triggers are known, and one HTMl
    > rendering with IE's engine is invoked, you've lost.


    The OP isn't talking about replying to messages or posts. He was inquiring
    about whether using the preview pane option could pose a risk.

    >
    >> Granted the HTML composed email will never display
    >> pretty, but that is the way it is.

    >
    > So far my Thunderbird with read_as_plaintext = true will not even render
    > HTML-only mails, whereas the normal behaviour is to downconvert to
    > plain text or, if configured, strip it down to some very simple
    > formatting options.


    And if the option is enabled (it isn't by default), Outlook will not render
    HTML emails either. Which means if you are concerned about the threat of a
    virus or of some other type of malicious script executing through HTML or
    through Microsoft Outlook Rich Text Format (RTF), you can use the Read all
    standard mail in plain text option to prevent Outlook 2003 from rendering
    those formats.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Mar 27, 2006
    #6
  7. Don Kelloway wrote:

    > Despite what you think email messages within Outlook CAN BE COMPOSED as
    > either HTML, Plain Text, Rich Text Format. Click the Format drop-down
    > option and select one of the three for yourself.


    Doesn't matter, the result will have to end up as text/plain to be
    compatible. And no, I don't see any use for duplicating the very same
    content and sending it as an HTML attachment.

    > The OP isn't talking about replying to messages or posts. He was inquiring
    > about whether using the preview pane option could pose a risk.


    Luring into a reply isn't a similar issue?

    > you can use the Read all
    > standard mail in plain text option to prevent Outlook 2003 from rendering
    > those formats.


    And you also need to display inline preview of images.
    Still doesn't help against those nasty MIME handling bugs. Plus the good
    bets on certain buffer overflows in the header parser.
     
    Sebastian Gottschalk, Mar 27, 2006
    #7
  8. 10-4Hokie

    Jim Watt Guest

    On Sun, 26 Mar 2006 23:05:47 +0200, Sebastian Gottschalk
    <> wrote:

    >But who would be that stupid using Outlook for eMails?


    most of my commercial clients.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Mar 27, 2006
    #8
  9. 10-4Hokie

    Don Kelloway Guest

    "Sebastian Gottschalk" <> wrote in message
    news:...
    > Don Kelloway wrote:
    >
    >> Despite what you think email messages within Outlook CAN BE COMPOSED as
    >> either HTML, Plain Text, Rich Text Format. Click the Format drop-down
    >> option and select one of the three for yourself.

    >
    > Doesn't matter, the result will have to end up as text/plain to be
    > compatible. And no, I don't see any use for duplicating the very same
    > content and sending it as an HTML attachment.
    >
    >> The OP isn't talking about replying to messages or posts. He was
    >> inquiring
    >> about whether using the preview pane option could pose a risk.

    >
    > Luring into a reply isn't a similar issue?
    >
    >> you can use the Read all
    >> standard mail in plain text option to prevent Outlook 2003 from rendering
    >> those formats.

    >
    > And you also need to display inline preview of images.
    > Still doesn't help against those nasty MIME handling bugs. Plus the good
    > bets on certain buffer overflows in the header parser.



    It's obvious that you are not familiar with Outlook because it does not
    display any inline preview of images for messages that are composed in HTML.
    And like IE when it is properly configured, nor Outlook is susceptible to
    the MIME issue you speak of.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Mar 27, 2006
    #9
  10. Don Kelloway wrote:

    > It's obvious that you are not familiar with Outlook because it does not
    > display any inline preview of images for messages that are composed in HTML.


    It display an inline preview for simply image attachments. No need to
    involve any HTML.

    > And like IE when it is properly configured, nor Outlook is susceptible to
    > the MIME issue you speak of.


    Bah, you'd wish. Microsoft is only blacklisting some already exploitet
    MIME type combinations, and on WinSrv03 they actually turned that into a
    Group Policy. It was never fixed and actually the interaction with
    Shell32::ShellExecute MIME handling makes things even worse.

    As a test case:
    Name: blah.gif Type: image/gif Content: WMF
     
    Sebastian Gottschalk, Mar 27, 2006
    #10
  11. 10-4Hokie

    Don Kelloway Guest

    "Sebastian Gottschalk" <> wrote in message
    news:...
    > Don Kelloway wrote:
    >
    >> It's obvious that you are not familiar with Outlook because it does not
    >> display any inline preview of images for messages that are composed in
    >> HTML.

    >
    > It display an inline preview for simply image attachments. No need to
    > involve any HTML.
    >


    No. It does not. With the options I have mentioned have been enabled, there
    is nothing displayed other than plain text if the message is viewed with the
    preview pane option. No images are rendered.

    >> And like IE when it is properly configured, nor Outlook is susceptible to
    >> the MIME issue you speak of.

    >
    > Bah, you'd wish. Microsoft is only blacklisting some already exploitet
    > MIME type combinations, and on WinSrv03 they actually turned that into a
    > Group Policy. It was never fixed and actually the interaction with
    > Shell32::ShellExecute MIME handling makes things even worse.
    >
    > As a test case:
    > Name: blah.gif Type: image/gif Content: WMF


    I don't know what else to say other than your configuration (or
    understanding of configuring) Outlook and IE are vastly different from my
    configurations.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Mar 27, 2006
    #11
  12. Don Kelloway wrote:

    > No. It does not. With the options I have mentioned have been enabled, there
    > is nothing displayed other than plain text if the message is viewed with the
    > preview pane option. No images are rendered.


    Plaintext view and image inline display are two different options.
     
    Sebastian Gottschalk, Mar 27, 2006
    #12
  13. 10-4Hokie

    Don Kelloway Guest

    "Sebastian Gottschalk" <> wrote in message
    news:...
    > Don Kelloway wrote:
    >
    >> No. It does not. With the options I have mentioned have been enabled,
    >> there
    >> is nothing displayed other than plain text if the message is viewed with
    >> the
    >> preview pane option. No images are rendered.

    >
    > Plaintext view and image inline display are two different options.



    Yes. Outlook has one option that can be configured to ensure all messages
    regardless of composition are displayed as plain text only and another
    option that will not ensure that images are not displayed if you utilize the
    preview pane.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Mar 28, 2006
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    4
    Views:
    862
  2. Replies:
    0
    Views:
    755
  3. Rick Sears
    Replies:
    0
    Views:
    520
    Rick Sears
    Jul 29, 2003
  4. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    629
    COMSOLIT Messmer
    Sep 5, 2003
  5. Ablang
    Replies:
    2
    Views:
    599
    Gimpy
    Jun 10, 2006
Loading...

Share This Page