Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    New Lounger sachssci's Avatar
    Join Date
    Apr 2003
    Location
    Valley Glen, California, USA
    Posts
    9
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Exclamation Release of Trojan horses, viruses via Reading Pane?

    Hi, Everyone.
    I posted the following in the Microsoft IT Professional forum*, but I think it needs broad distribution ASAP, so I'm doing it here, too. Here we go:
    Some received Outlook e-mail messages must not be opened because they pose security threats. Most of us delete them immediately if the junk mail filter hasn't already caught them. Yet if Outlook is configured with the Reading Pane enabled, at least some level of message-opened display occurs automatically upon selecting the message, even before manually opening it.

    If the Reading Pane's automatic opening of any selected message is equivalent to opening the message manually, then we have a major security problem. It would be particularly important to avoid simply clicking on a message in the message pane since it would automatically open Pandora's box. In this case, all Outlook users should be warned quickly and with great fanfare of this potential threat. In this case, Microsoft should be taking corrective action immediately, and I assume someone reading this post is in a position to effect that.

    On the other hand, if somehow the Reading Pane is programmed to extract only safe text, then I'm worrying for nothing.

    What's the verdict, please?

    . . . Steve Sachs
    Former MCT

    * Major Outlook Security Issue: Reading Pane May Automatically Release Trojan Horses, Viruses, Etc.
    Last edited by jscher2000; 2011-12-01 at 11:30. Reason: Added link to other thread.

  2. The Following User Says Thank You to sachssci For This Useful Post:

    DragVid (2011-12-01)

  3. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    What is the rationale for believing that viewing the message releases malware, and which versions of Outlook do you believe are affected?

  4. #3
    5 Star Lounger Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    905
    Thanks
    17
    Thanked 59 Times in 59 Posts
    If I'm not mistaken, older versions of Outlook Express with the preview pane enabled did allow malware to be activated due to the way it used Internet Explorer to render the preview pane.

    I'm pretty certain that isn't the case nowadays.

  5. #4
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    20,655
    Thanks
    2
    Thanked 635 Times in 568 Posts
    The OP does not say which version(s) of Outlook he is referencing. Outlook 2007 & 2010 use the Word HTML rendering engine which is much less capable than IE. That makes it safer for email as some of the "automatic" capabilities of IE are no longer available. Outlook places additonal restrictions on attachments it will accept.

    If you are really paranoid or just can't stand HTML email you can set Outlook to always Read email as plain text.

    Joe

  6. #5
    Star Lounger
    Join Date
    Sep 2010
    Location
    Yarra Glen, Victoria, Australia
    Posts
    62
    Thanks
    0
    Thanked 6 Times in 6 Posts
    There is an email filtering program called Benign (B9) which can strip out many of the nasties which may be contained in a HTML email, while still leaving it mostly readable in HTML format. It can also block or rename specified types of attachment. It's not an anti-virus, it just looks for things like non-standard HTML tags or scripting, and removes them.

  7. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Bundaburra View Post
    There is an email filtering program called Benign (B9) which can strip out many of the nasties which may be contained in a HTML email, while still leaving it mostly readable in HTML format.
    For anyone interested, it's $30.

    Product info: http://www.firetrust.com/en/products/benign (the makers of MailWasher)

    Has anyone tried it?

  8. #7
    New Lounger minnetonka's Avatar
    Join Date
    Dec 2009
    Location
    Nevada, USA
    Posts
    3
    Thanks
    3
    Thanked 0 Times in 0 Posts

    If e-mail software has the ability to automatically execute JavaScript...

    I worked for a government agency that dealt with cyber threats pretty aggressively. Most people I know, set their email for plain text only. As for execution of something by just reading the email, we turned off the reading pane in Outlook. At home, I use Thunderbird. In addition to having several programs scan the email as it comes in, I used a setting that delays the email from being "read" for a specified time (in my case I set it to 5 seconds). Maybe I'm placing too much faith in it, but I can click on and delete it in less than 5 seconds. On one website (TrendSecure.com) it says, "If your e-mail software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, you should disable this feature." Would that be the rational behind just reading the email, even if you know better than to click any links or open attachments?
    Action speaks louder than words but not nearly as often.
    --Mark Twain

  9. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by minnetonka View Post
    On one website (TrendSecure.com) it says, "If your e-mail software has the ability to automatically execute JavaScript, Word macros, or other executable code contained in or attached to a message, you should disable this feature." Would that be the rational behind just reading the email, even if you know better than to click any links or open attachments?
    In Outlook 98-2003, setting Outlook to open mail in the Restricted Sites zone rather than the Internet zone will disable those types of active content. At some point, this became the default. Unfortunately, users (or malware) could reduce the security of the Restricted Sites zone in IE's options (or the Windows registry), so this is not an airtight scheme.

    In Outlook 2007-2010, the HTML rendering engine no longer is capable of displaying those types of content, so the zone setting has been removed. While security vulnerabilities could exist in Outlook (or should I say, could be discovered and exploited before they are patched), the design of the software is sound.

  10. The Following User Says Thank You to jscher2000 For This Useful Post:

    ruosChalet (2011-12-10)

  11. #9
    Lounger
    Join Date
    Dec 2009
    Location
    New Plymouth, New Zealand
    Posts
    30
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Why Outlook?

    It seems to me that never a week goes by without Windows Secrets Lounge reports a problem with Outlook. As an inaugural member of Gmail, I look back on several years of trouble-free e-mail handling by Google. Gmail also takes care of the few cases of spam that manage to get through, by infallibly popping them into its Spam folder. It then announces to me if and how much spam has arrived there.

    During the period I used Outlook, I also used Mailwasher, from its inception as a free programme, and later even bought its stablemate B9 (Benign). These I have not needed since I biffed Outlook.

    Those were the days, days mercifully over, thanks to Google's Gmail. And if you haven't seen the latest iteration of Gmail, you may not know what a great programme you are missing.

    Dic

  12. #10
    Lounger Super Sarge's Avatar
    Join Date
    Oct 2011
    Location
    Jordan Minnesota
    Posts
    45
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I use Outlook 2010 before that 2007 and before that 2003 and so on, and never have had a virus problem using it, My AV has caught everything that may have tried to slip through. I use the reader pane, what little junk mail I do get in most cases is caught by the Outlook 2010 filter. I also block numerous country domain names, most of Africa and Eastern Europe, this really cuts down on the crap

  13. #11
    Lounger
    Join Date
    Nov 2009
    Location
    Ridley Park, PA
    Posts
    25
    Thanks
    0
    Thanked 1 Time in 1 Post
    You cannot get a virus just by reading an email. Opening an email in the reading pane of any fairly modern email client alone cannot infect your computer. If you claim to know of such a case then please provide details. And I don’t mean links to sites where other people post nonsense about it!

    Also, minnetonka's reply about the setting that adds a five second delay has absolutely no effect on whether or not the email message is actually "read" or not! That is simply a setting that determines how long after opening a message in the preview pane the message is marked as "Read". You know, meaning that the Subject line in the message list goes from bold to normal type? But have no worries - you will not get infected by reading a message. Just do not ever open an attachment in any email message unless someone you know and trust tells you they are sending it to you and when.

    Jim

  14. #12
    Lounger
    Join Date
    Dec 2009
    Location
    Bethesda, MD, USA
    Posts
    32
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dic View Post
    It seems to me that never a week goes by without Windows Secrets Lounge reports a problem with Outlook. As an inaugural member of Gmail, I look back on several years of trouble-free e-mail handling by Google. Gmail also takes care of the few cases of spam that manage to get through, by infallibly popping them into its Spam folder. It then announces to me if and how much spam has arrived there.

    During the period I used Outlook, I also used Mailwasher, from its inception as a free programme, and later even bought its stablemate B9 (Benign). These I have not needed since I biffed Outlook.

    Those were the days, days mercifully over, thanks to Google's Gmail. And if you haven't seen the latest iteration of Gmail, you may not know what a great programme you are missing.Dic
    I don't care to share the contents of my emails so that Gmail may send me targeted ads. My privacy is more important to me, than perhaps it is with you. Also, I prefer to do my emailing from my computer, instead of relying on the net. So while Gmail works for you, it certainly doesn't work for everyone.

    I've used Outlook since at least 1997--maybe even before, I can't remember anymore. I use it in a standalone environment, not on an Exchange server, and like "Lounger", so far, I've had few serious issues with it, other than a corrupted profile, which admittedly was no fun to recover from, but that was early on. Unless I'm mistaken, there's simply nothing else like it and it performs numerous tasks. Without question it is my most important piece of software and I that's why part of my monthly computer maintenance is to take care of its PST file.
    Henry S. Winokur
    PC .HLP Computer Consulting -- Supporting family & SOHO Windows users in the DC area since 1990
    Bethesda, MD

  15. #13
    Lounger Super Sarge's Avatar
    Join Date
    Oct 2011
    Location
    Jordan Minnesota
    Posts
    45
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I have used Outlook also as a stand alone I have had versions of it going way way back, I now use 2010 have for about 2 years no problems encountered in its use

  16. #14
    Lounger
    Join Date
    Nov 2009
    Location
    Ridley Park, PA
    Posts
    25
    Thanks
    0
    Thanked 1 Time in 1 Post
    I use Gmail but not for anything sensitive that requires privacy. I have used Outlook for years but very much on and off. Outlook over the years never handled IMAP mail accounts very well at all. This version - 2010 - does so better than in the past, though it is still lacking with respect to IMAP IMO.

    Jim

  17. #15
    2 Star Lounger
    Join Date
    Jan 2011
    Posts
    199
    Thanks
    21
    Thanked 2 Times in 2 Posts
    Henwin and Super Sarge....

    I also have used Outlook for many years, and am still learning new functionality contained in it. It is my workplace..... most things travel by e-mail nowadays, so most things are contained in my Outlook mail folders.

    I have turned off the reading pane in Outlook to avoid possible nasties from infecting my machine. I also don't open mails from unknown sources to avoid infection. (There is also the Antivirus which helps me out). Not had a problem in all the years.

    I am now looking into changing to using IMAP mailboxes instead of POP mailboxes, so here comes a whole new learning curve!

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •