New malware appears every day, and it seems like hackers constantly get smarter and craftier.
In the past, asking if your machine could become infected with malware by just reading your email would get laughs from the geeks in the crowd. “Of course not!” they would giggle.
Then came Outlook. Not only could opening an email infect your machine, but for a while, you didn’t even have to be around to have it happen.
And the geeks stopped giggling.
For a while.
Fortunately, today things are different.
HTML is the “language” of the web. It’s the way web pages are encoded and described to your browser so it can display the web pages as the designer intended.
Your browser, and the HTML that was displayed in it, became a platform for computer programs.
Then along came email.
Email used to be plain-text only, and much of it still is.
But someone had a bright idea: what if we made email more flexible and gave it all of the richness of HTML formatting? In HTML-formatted email, words can be bold or underlined, we can insert images, and much much more.
Email could be as “pretty” and complex as a magazine page.
Since many email programs simply used the same code as the web browser, email messages could also now do things.
Then along came malware.
Malware in email
If email could “do things,” like run small programs within the window in which they were being viewed, it didn’t take long for hackers to start writing malware that not only took advantage of that, but also exploited other vulnerabilities those programs could access.
Vulnerabilities that allowed them to infect your machine with more malware…
…simply because you opened your email and looked at it.
Before it got better, it got worse.
Then, along came Outlook.
The Preview Pane’s Role
I say “Outlook,” but in reality, any email program that offered what we now call a “preview pane” was vulnerable. Outlook was simply one of the earliest and most popular.
The scary scenario worked like this:
- You left your email program open on a view of your inbox with the preview pane showing.
- You had the “most recent” email selected; its contents were in the preview pane.
- You left.
- You got new email. Outlook dutifully kept the selection at the most recent, and updated to select the newly arrived message.1 As a result, it also updated the contents of the preview pane with the contents of the new message.
Your email program “looked” at a message and your machine was infected. You weren’t even there.
Fortunately, that didn’t last long.
Modern email programs and sites don’t do that
Needless to say, that possibility was fixed quickly.
Along the way, the vulnerabilities related to email-based exploits2 have also been getting fixed, regularly and quickly.
Additionally, images aren’t even displayed by default by most email programs anymore (for reasons related to spam, but it also increases your security with respect to malware). Today’s situation is very, very different.
Today, you cannot get infected by just looking
Opening an email is a safe thing to do.
Having your preview pane open is a safe thing to do, even if you’re not around.
Email programs and email services now no longer allow the things that once upon a time made looking at an email risky.
You CAN get infected if…
The one thing missing from the discussion above is: attachments.
The ability to attach an arbitrary file to an email message actually predates HTML-formatted email. It remains a convenient way to transfer a file from one place to another.
Unfortunately, the word “arbitrary” is appropriate. Any file can be attached to an email, including programs that infect your machine with malware.
That’s why one of the admonitions relating to internet safety is to never open an attachment you’re not expecting and that you don’t know for certain is safe.
You can get infected by just looking at the contents of an attachment.
Email safety rules
So, let’s review the rules for safe email:
- Keep your versions of Windows, your browser, and your email program up to date with the latest patches. If a vulnerability is discovered, you want it to be fixed as soon as possible so as to keep things as safe as possible.
- Run appropriate anti-malware software to help keep your system clean.
- Keep your anti-malware software up to date, and most importantly, allow it to keep its databases of malware information as up to date as possible as well.
- Never open an attachment unless you expect it, you’re positive you know what it is, and you trust the sender.
- Never click on a link in an email message unless you’re positive you know where it’s going, and you trust the sender.