It used to be possible that simply viewing a malformed email could allow a virus to spread, but that's no longer the case with modern mail programs.
New malware (including viruses) appears every day and it seems like they’re constantly getting smarter and craftier. And of course, each new piece of malware is an opportunity for even more people to become infected.
In the past, asking if you could catch an email virus just by reading your email would get laughs from the techie geeks in the crowd. “Of course not!” they would giggle.
Then came Outlook. Not only could opening an email infect your machine, but for a while, you didn’t even have to be present to do it.
And the geeks stopped giggling.
For a while.
Fortunately, today things are different.
HTML is the “language” of the web – it’s the way web pages are encoded and described to your browser so that it can draw, display, and make the web pages appear as the designer intended.
Your browser and the HTML that was displayed in it became a platform for computer programs.
Then along came email.
Email used to be plain text only and much of it still is.
But someone had a bright idea: what if we made email more flexible and gave it all of the richness of HTML formatting? In HTML-formatted email, words can be bold or underlined and we can put pictures in it, and much much more.
Email could be “pretty” and as complex as a magazine page.
And since many email programs simply used the same code as the web browser, email messages could now do things.
Then along came malware.
Malware in email
If email could “do things,” like run small programs within the window in which they were being viewed, it didn’t take long for hackers to exploit this and start writing malware that not only took advantage of that, but also exploited other vulnerabilities that those programs could access.
Vulnerabilities that would allow them to infect your machine with more malware.
Simply because you opened your email and looked at it.
Before it got better, it got worse.
Then, along came Outlook.
The Preview Pane’s Role
I say “Outlook,” but in reality, any email program that offered what we now call a “preview pane” could be vulnerable. Outlook was simply one of the earliest and one of the most popular.
The scary scenario worked like this:
- You leave your email program open on a view of your inbox with the preview pane showing.
- You have the “most recent” email selected and its contents are shown in the preview pane.
- You leave.
- You get more email. Outlook dutifully keeps the selection at the most recent and updates to select the newly arrived message.1 As a result, it also updated the contents of the preview pane with the contents of the new message.
Your email program “looked” at a message and your machine was infected and you weren’t even there.
Fortunately, that didn’t last long.
Modern email programs and sites don’t do that
Needless to say, that possibility was fixed quickly.
Along the way, the vulnerabilities related to email-based exploits2 have also been getting fixed – regularly and quickly.
Add to that the images aren’t even displayed by default by most email programs any more (for reasons related to spam, but it also increases your security with respect to malware) and today’s situation is very, very different.
You cannot get infected by just looking
Opening an email is a safe thing to do.
Having your preview pane open is a safe thing to do – even if you’re not around.
Email programs and email services now no longer allow the things that once upon a time made looking at an email risky.
You CAN get infected if…
The one thing missing from the discussion above is: attachments.
The ability to attach an arbitrary file to an email message actually pre-dates HTML formatted email. It remains a convenient way to transfer a file from one place to another.
Unfortunately, the word “arbitrary” is appropriate. Any file can be attached to an email, including programs that would infect your machine with malware.
That’s why one of the admonitions relating to internet safety is to never open an attachment you’re not expecting and that you don’t know is safe.
You can get infected by just looking at the contents of an attachment.
Email safety rules
So, let’s review the rules for safe email:
- Keep your versions of Windows, your browser, and your email program up to date with the latest patches.
- Run appropriate anti-malware software to help keep your system clean.
- Keep your anti-malware software up to date and most importantly, allow them to keep their databases of malware information as up to date as possible as well.
- Never open an attachment unless you expect it, you’re positive you know what it is, and that you trust the sender.
- Never click on a link in an email message unless you’re positive you know where it’s going and that you trust the sender.