>>just by getting you to open an e-mail.

It's my impression that this is not true for Windows XP SP2, which certainly all Windows XP users should by now know to run. Am I mistaken?

I believe it's true if the user is running the latest version of Outlook, yes, but not necessarily another e-mail client. Microsoft's advisories claim that oddly enough Outlook is safer to use than other third-party e-mail clients b/c of protections built in to Outlook a la SP2 that prevent attacks like this from executing.

From the VML advisory:

"In an e-mail based attack of this exploit, customers who read e-mail using Outlook Express on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, are at less risk from this vulnerability because Binary and Script Behaviors is disabled by default in the Restricted sites zone."

According to the advisory, only Vista is not affected.

Personally I still use elm on a shell account. Doesn't even handle html. And yes, anything sent to this account with html tags is immediately sent to /dev/null

I'm on several mail lists, some where a digest of posts are mailed once a day, or when they reach a certain size. Many require posting in plain text. Some mail clients/services have proved openly hostile to non-html posting, most notably AOL about three to four years ago - a hamster's lifespan ago I know. Getting new users to post in plain text was a constant battle. AOL even came out with a mail client that would only post in html at one point, but the next version allowed it again.

There are modules for list management that strip html, and most list tools now use them, yet I keep plain text as the default for both sending and reading - except for gmail, which is read online, thus HTML, though I send in plain text from there. Plain text messages are smaller, in this world there are still people out there with slow connections that don't need the extra html markup added to every message. Plain text messages do not hide content, you can effectively sort and filter them.

It has always struck me that HTML mail as a tool has always been pushed hardest by those out there to sell something - I remember Microsoft sending me mail with embedded video clips at one point. "Enriched user experience" has more to do with making the product look good (or fooling spam filters) than emailing Aunt Martha in a antique bookman font.

One sure sign of spam a few years ago was the alt text "get a better email client", the default for one spam creation tool, a phrase I still filter for.

As you can tell, I'm for plain text as the default setting, but am not a complete luddite on this, and would like to have rich text available for some expanded basic format settings, bold, underline, text size, font, etc. which are not available in plain text but are usefull in communicating.

K

PCPine for Windows is excellent; you can view (or not) any attachment you like - they are ignored by default and pine does no html parsing itself.

Unfortunately, in Outlook 2002, I don't see any "Read all standard mail in plain text" option.

When a message is obvious spam, I just delete it, and don't open it.

HTML email is not evil. In fact it is funny how this gets written every few years (months?) in the aftermath of yet another Windows vulnerability.

I for one like seeing more than just plain text in some contexts. Afterall, its all in how it is used, just like web pages, instant messages, text messages and the lowly snail mail.

But here is ironic part of this article, I received it as an HTML email from The Washington Post! ROFL.

Keep the gems of wisdom coming Brian!

Is there any danger with web-based services like Gmail? It won't load images unless you click to tell it to do so (unless you had earlier agreed to view all images sent by that address.)

http://kb.mozillazine.org/Safety_of_Reading_Email
may be a better resource than the one posted

Brian,

I get all my mail via Gmail, Yahoo mail and my office Outlook 2003 (for a company with 10,000 U.S. employees). The corporate spam protection goes through Postini, plus whatever else they have devised.

Is this something I need to worry about? Or can I rely on the corporate safeguards, as well as Google and Yahoo?

Thanks,

Roger

Interestingly enough, I received a link to this page in what? A WashingtonPost.com HTML email including a picture of the author.... Now that is ironic. While I respect Mr. Krebs opinion on this, the cat is clearly out of the bag in regards to HTML email. Going backwards to a primitive format is not a solution that many in the business world will accept unless forced to, fixing the problems is the better solution.

There is one step just as important as not reading email in HTML, and that is to turn off your preview panes. Whether an email is double-clicked or just select and displayed in the preview pane, that is reading the email as far as the mail client is concerned.

If you have Outlook open, preview pane on, Inbox selected, HTML email on, and you walk away for a few minutes, an email can come into your box through an auto-checking setting, be displayed, and 0wn your box with no intervention.

There are other settings and levels of security, but unless you're a desktop support person, most people's eyes glaze over when trying to manage security on such a granular level.

You could stop accepting HTML emails, which seems like a pretty big restriction. But, it's just one of many ways hackers can gain access and control of a Windows machine. Or, you could use Linux. Yes, I know that no OS is *absolutely* safe from attackers, but it's kind of like putting $100 bills in a bank vault or scattering them on the sidewalk. Neither is absolutely safe, but I'd rather take my chances with the bank vault.

Brian,
For my personal email I use Yahoo exclusively. A few years ago I got burned when a good friend of mine sent me an email that contained a worm and at that time Yahoo did not run incoming emails through a security filter unless the user specifically requested that it be done which-if one is in a hurry-may not get done. Now they automatically filter all emails before opening them for their clients and will not open them if they detect a virus. Their spam filtering has worked well for me, but the filter does not detect spam disquised in HTML as you relate here. Does this mean that my computer (running Windows XP SP2) can be subject to malicious intrusions just by my opening an HTML email from my Yahoo account anyhow?
Thanks for the great advice over the years!
John

Haha! Ironic indeed.

I'm glad to hear so many people have signed up for the wp.com tech emails, but it makes no difference to me whether they're viewed in html or plain text, although I'll admit they look a lot better in HTML.

For me, reading e-mail in text-only is about being in control over the e-mail program. I use Outlook 2003, so can still choose to look at an e-mail in HTML if I want just by selecting "view this in HTML" option.

To JohnJ, you can switch to plaint-text only in Outlook 2002, but it requires editing the system registry, which can be dicey if you screw something up. I believe the instructions for changing that feature are here:

http://support.microsoft.com/kb/307594

Is malicious HTML mail something I need to be concerned about yet? I am running Mac OS X v.10.4.8. I have been running OS X for five years now, and there has not been a successful exploit of the OS that has affected anything over maybe 30 computers at a time (if that many) ever. No self-replicating viruses (oxymoron I know, but sometimes ya' gotta explain these things). Please let me know if you think I need to disable my HTML reader that comes with my Mac OS X application, Mail.

Thank you.

Running OS X 10.4.8 on the Mac. Is this just one more example of threats to PC's that don't impact those of us who use a Mac? If not, please let us know! If so, then instead of eliminating HTML mail, just make that Windows stuff work right.

I would gladly drop html e-mail even though I love the rich text and graphics. The one thing I cannot abide is the damn >>> characters when you reply or forward. If there's a client that will automatically convert them to a line down the side as Outlook does, I'm there.

Yes, Thunderbird is happy to display regular text email with a bar down the side condensing the standard message quote characters >>>

Re: line instead of >>>

Apple's Mail application also uses the vertical lines on forwarding/replying to e-mail, not the >>> crap. Mail will also let you increase or decrease the number of lines to part or all of the e-mail, as well as let you select the colors of each line (I'm sure there must be other apps out there that are just a flexible). Lastly, Mail will also let you reply/forward only a portion of an e-mail, if that is all you need.

WhitIV/Em,

I'm not aware of cases in which HTML e-mail presented a security threat for OS X users, but it's not out of the question. Apple has had to patch all kinds of image and file format vulnerabilities that are similarly exploitable as the same kinds of vulnerabilities are on Windows (by getting the user to load a certain web page or view a poisoned image).

If you decide you'd like to change the way Apple Mail works, I believe the instructions at the following link should help:

http://docs.info.apple.com/article.html?artnum=106189

Your kidding, right? I am assuming this ridiculous headline is just an attempt to compete for the attention of readers. If we dealt with every potential threat in that manner, we would not have any tools to accomplish our jobs. How about we address the source of the problem by enacting and enforcing laws to address these threats, build our software more securely, and use common sense.

Chuck:

I suppose we could do it your way: enacting and enforcing laws to address these threats (like the legal system could ever keep up with technology), and build our [Windows] software more securely.

I propose a much easier solution that is available right now.

Buy a Mac.

If WhitIV/Em want to *read* (as opposed to send) in plain text on OS X they'd need to change the defaults by issuing the following command in Terminal:

defaults write com.apple.mail PreferPlainText -bool TRUE

See here:

http://www.macworld.com/weblogs/macosxhints/2006/01/oldschoolmail/index.php

However, I don't think it's necessary, because Apple's Mail doesn't run scripts and by default it doesn't download images, either. So both threats are already neutralized.

My Mozilla email always asks whether I wish to "view images" as a means of protecting me. Is this sufficient if I decline, or will I still be exposed?

What about using RTF? Our group has banned that as well. Is this a vulnerability?

For those using Outlook 2007 who want to view HTML messages as plain text:
Click "Tools"
Click "Trust Center"
In the left hand column click "E-mail Security"
Under the heading "Read as Plain Text" click in the check box labled "Read all standard mail as plain text"
For MS' instructions go here: http://office.microsoft.com/en-us/outlook/HP012305451033.aspx

This entire conversation is very helpful -- thank you so much for posting this thread, Brian. I wonder if I can please throw out a similar security question to the group? I decided to get serious about security this year after one of my colleagues got caught in a keystroke-counter program on her Windows machine. My husband and I bought a Mac Mini that runs OS X. We use it with the Apple-installed Firewall, running in Stealth Mode. We also installed Norton Anti-virus (required by our network administrators, we live in a university community and use their network) and Norton Confidential for Macintosh for added protection when doing online banking, shopping, etc. We update both of these daily, as well as adding our Mac security updates immediately upon receipt.

Are these security precautions adequate? Or are there additional steps we should be taking? I haven't been able to find any anti-spyware software for Macs similar to SpySweeper, etc, like we had for our old Windows machine. I assume this is because this threat doesn't exist for Macs yet?

Please no flames. I'm a newbie and doing the best I can. Thanks so much for your thoughts!

For those using Thunderbird, viewing text or html will give you a little piece of mind when using the Message Level add-on

https://addons.mozilla.org/firefox/2260/

"I haven't been able to find any anti-spyware software for Macs similar to SpySweeper, etc, like we had for our old Windows machine. I assume this is because this threat doesn't exist for Macs yet?"

Yes, you're right on all points.

The most important step you should probably take is to not to use an administrative account for day-to-day use. Apple recommends not to in its advice (link below) - which is mostly aimed at businesses. I figure they don't want to prompt users to do that at set-up with the installation wizard because it might confuse many home users. But on OS X, as with Windows, don't surf on admin accounts - keep them for admin tasks. Apple's security advice is in a downloadable PDF ("Mac OS X Security Configuration Guide") on this page (bottom of the right-hand column):

http://www.apple.com/macosx/features/security/

You may also want to look at the advice from two ex-Apple techs here:

http://www.macgeekery.com/tips/security/basic_mac_os_x_security

Basically, it says the same things but not in such detail and in a more chatty way, so it's probably worth reading first then going on to the Apple PDF. You probably don't need to implement all the advice given there in a home situation, but it's worth a read.

Surely the problem is not HTML email; rather badly written software with badly conceived features which does a poor job of protecting the client.

Yes, I'm pointing my finger directly at Microsoft's shoddy products.

For Outlook 2000:
Choose a default message format
On the Tools menu, click Options, and then click the Mail Format tab.
In the Send in this message format list, click the format you want.

By default, when you respond to a message in Microsoft Outlook 2000, your reply is formatted the same way as the original message. For example, if you reply to a message sent to you in plain text, Outlook sends the response in plain text. However, you can change the message format of your reply. Place the insertion point in the message body, click the Format menu, and then click the name of a message format.

Outlook 2002 is a nightmare. No option to view email as plain text. I've always chosen plain text for my email. But my wife's laptop has Outlook 2002 and I've tried several times to switch to a plain text default. I've looked now at turning off the preview pane. Can't do either. Makes me mad that someone at Microsoft decided to take away user's controls.

Regarding >>> for reply: another program is Forte Agent,where you can indicate what you want, | or anything or nothing.

Regarding:

"Merely by reading a specially crafted e-mail, you could open your Windows machine to attackers, who are then free to install malicious programs, ...

The most dangerous threat is HTML content that enables the silent downloading of malicious software."

I think you do a disservice to the general reader to leave it at that. There is no reason today why any computer should allow unauthorized installation of software. A number of solutions: limited user; group policies, SRP; third-party programs -- all would prevent this from happening.

This is not to excuse the vulnerabilites in the software, but to depend on the email or browser clients as the first line of defense is outmoded in today's world of strategic planning.

WhitIV: I am a fan of the MAC as well, but if you believe this problem is unique to Windows, then you are not staying informed on the facts. As a professional in this arena, I can tell you that all platforms are vulnerable. MS gets the lions share of the publicity, partly because of their ridiculously broad and deep market penetration. I am not asking the laws to keep up with technology. We put more gangsters behind bars with tax evasion laws than we ever did murder charges and similar approaches could be used with this problem.

part 1)
Granny kat here now has windows 2000 professional and using outlook express for email..sending mail is set html, sending news is set at text..any suggestions as to what, if anything, should be changed? where do I locate 'receive email' if I need to change setting there?
part 2)and, am I to depend on outlook express to be impervious on its own as it is now with current settings?..also have charter high speed security suite from server..by now you've all guessed this pc is for minimal use..please someone help this old granny..

Brian,

Do you know whether disabling remote graphics + disabling scripting in HTML messages is sufficient to block this flaw? This is what Thunderbird seems capable of, but not text-only.

Hold on everybody - before we get on the Windows vs Mac rant, I think everyone is missing the mark here. The whole idea of this is not to get the world to stop sending HTML e-mail (that will happen as soon as we throw away the HD Flat Screens, satellite DVRs and digital cable and go back to watching local network stations on 13 inch B/W Televisions) but to take an extra precaution on your own volition on your own computer and just READ all of your incoming e-mail in PLAIN-TEXT format. Note that this does not offend the original sending party (they won't even know) and will not alter the e-mail message if you decide to later read it the way it came. All this suggestion offers (remember, this was only a suggestion made by Brian - not a commandment) is an extra layer of protection that disables all HTML code sent to you as a part of the original e-mail.

The benefit is that IF you were to receive an e-mail from someone and IF it happened to contain some HTML code that were to run upon access (like many web-pages do), and IF that code were to instruct your machine to quietly (i.e., in the background) download some bad things and execute them, then it simply would *not* happen because by opening the message in PLAIN-TEXT mode, you did not activate *any* HTML code even IF it is still there.

So, what everyone should do, rather than get on their own soap box and postulate that everyone should use their favorite OS or e-mail client because it is just the best one out there and everyone else is only asking for trouble if they don't follow your advice, is ignore all of that and just read your e-mail in PLAIN-TEXT to protect yourself, to help slow the spread of bad things and beat the bad guys at their own game.

Do you look out the peep-hole before you open the front door or just presume that it is the mailman because they said they were? What do you tell your children to do?

What I do is run a filter on all email on my mailserver - if it detects that a mail has both HTML and plaintext parts (as it should have), the HTML part is dropped automatically. Otherwise the HTML is sanitized before the mail gets delivered. Takes care of most annoying things...

"The benefit is that IF you were to receive an e-mail from someone and IF it happened to contain some HTML code that were to run upon access"

No. You are completely wrong. HTML is *not* code and it does not "run". HTML is mark-up not code.

HTML is only of relevance here, because it is possible to imbed JavaScript in HTML mail. The problem here is *JavaScript* - together with the fact that some clients - for example, older versions of Microsoft Outlook Express - by default allow scripts to run. ("Scripts" here also include VBS, which is a proprietary Microsoft scripting language.)

HTML as such in *not* a problem. The problem is old mail clients with bad defaults and misconfigured email clients. Nevertheless, electing to only view in plain text, as Brian suggests, is a reasonable work-around.

I don't have Outlook 2002 here, but in Outlook 2003 reading all mail in plain text is easy and doesn't require registry hacks: Tools-Options, Preferences tab, check the box labeled "Read all standard mail in plain text"

Brian, in regard to Eudora, are you sure you don't mean uncheck the box for "Allow executables in HTML content" under Tools | Display?
As I understand matters, if you can prevent the malware from running it just becomes another file on your PC, so disabling executables in HTML content should do the trick. Another layer of protection is to use an Intrusion detection/prevention program like ProcessGuard to determine if something unwanted is trying to run.

Al- Didn't see that one in Eudora's myriad options menu. But that's certainly one that I would uncheck as a Eudora user. Thanks.

To Steve who quoted me and then added...

""No. You are completely wrong. HTML is *not* code and it does not "run". HTML is mark-up not code""

You are right - Thank you for the correction; that is much more accurate. HTML is not code in itself but can be used to run code of another kind (like Java). Therefore, if HTML is not rendered (by reading in PLAIN-TEXT), it can not instruct the other code to run and therefore stop any potential bad things.

Thank you again for the clarification.

If I need to send e-mail only - I simply go to
http://www.fast-e-mail.com and send!
Nothing more!
Very secure!
And just what sometimes need to do!

If to tell about secure,
we need to care more about ourselves,
but not about our e-mails!

Funny, but realistic video, explaining how to be safety just I found at -

http://www.youtube.com/watch?v=loIBj6kespg
(you need to listen music here)

Take care with mice!

I see html as a real threat. It would be very simple for malicious spammers to insert an IFRAME tag into their HTML code which could redirect to an exploit server.

Chuck:

Interesting point you made, but BK posted above that he is not aware of any vulnerabilities to the Mac from HTML-encoded e-mail.

Chuck, I ask that you back your statement up. I follow Mac security closely - have for years - and I do not believe you are correct. I do not think you are even close. I am not the one who does not know his Macs.

All of you are surely savvier than me.
That said, may I humbly point out that Gmail is :
- collecting spam in a window apart, making
easy and fast to delete it forever
- using plain text, BUT allowing to switch
to HTML for anybody who cares to do it
- asking if you want or not to have images
displayed

Is not all this killing all the 'ifs','buts','maybes','no','yes',etc.?

(Swear, I haven't one single Google share,
unfortunately ....)

oldboy

WhitIV: What I was refering to was the inference that the MAC, by design, does not have security flaws and risks, and therefore everyone should switch to this platform. I think that logic is severely flawed on several levels. Again, I am not defending one platform or slamming another, just want to make sure we are forming our opinions and decisions based on fact, not media hype. This link is reasonably enlightening on the topic. http://www.techworld.com/security/news/index.cfm?newsid=1798

Even if there were no security concerns at all, I would continue to turn off HTML rendering in my mail client. Too many people/programs out there generate bad formatting; I'm really not interested in seeing someone's ornate font rendered at 8pt in pink on top of his custom stationery. (I am not making this example up.) Anything that allows the sender to control fonts, sizes, or colors can end up being hostile to some recipients, and educating the senders one at a time is too difficult. So I will continue to use pine, which dumps HTML on the floor, even if every security hole is miraculously fixed.

'This is not to excuse the vulnerabilites in the software, but to depend on the email or browser clients as the first line of defense is outmoded in today's world of strategic planning.'

I think it's more like the last line of defence when it comes to Windows. As John Walker quipped, 'HTML mail is increasingly the trademark of the clueless', and things like IncrediMail take it all to a wuthering height.

But there's nothing to fall back on when it comes to Windows. If the black hats find a way to poke through the onion skin thin web layer, they're in. And if you're lucky you'll get an alert you need to reinstall your OS.

It's never going to be better there.

It always amuses me the contortions that windows users have to go through to have a secure computing experience. Always treating the symptom and never the disease.

The problem is not the HTML Email But Microsoft Windows. If they'll learn to deal with security, there wouldn't be any problem.

Chuck:

The article you cite, from June 2004, was written by Secunia, a provider of computer security software, a company that would be happy to sell me security software - were there any market for it. The article presents quite an alarmist view on security of the Macintosh platform, you are correct. "Windows is more secure than you think, and Mac OS X is worse than you ever imagined."

How many thousands of viruses, how many hundreds of spyware and adware programs, have cost how many hundreds of thousands of PC owners how much time and money since that article was written? It is uncountable on the Windows side; all of the numbers are ZERO, ZIP, NADA, on the Mac side. How many times will untold thousands of people reformat their hard drives before they realize that there is a better way? I have been hearing these "the sky is falling" claims for five years now regarding the Mac - and for 2 1/2 years since the article you cite was written. Where are the Mac viruses? Where is the Mac spyware? Where is the Mac adware?

Why heck, on a Mac, I can still open HTML e-mail. What a concept.

lkcwzep rhavkpdg tmzson wfceiq hekqt eulzk zbeuic

adbncxi qhviec gqaxwzyf qsdpurfh snxm gasn inwy http://www.lvbqdpmz.erspo.com