It used to be scary easy.
In the past, asking if your machine could catch a virus just by reading email got laughs from the geeks. “Of course not!” they chuckled.
Then came Outlook.
Not only could opening an email infect your machine, but for a while, you didn’t even have to be around to have it happen!
The geeks stopped chuckling.
Fortunately, today things are different.
Become a Patron of Ask Leo! and go ad-free!
It used to be that email programs would automatically run programs embedded in email messages when displayed, and occasionally those could be malicious. This is no longer the case, and you will not get a virus from looking at an email. It remains important to be skeptical with links and attachments, and to keep all software as up to date as possible.
HTML is the “language” of the web. It’s the way webpages are written and described so your browser can display them as the designer intended.
Your browser, and the HTML displayed in it, became a platform for computer programs.
Then came email.
Email used to be plain-text only, and some of it still is.
But email began to be encoded using the same language as webpages: HTML. In HTML email, words can be bold or underlined, we can insert images, and more. Now email could be as “pretty” and complex as a magazine page.
Since many email programs simply used the web browser to display HTML, email messages could also now do things.
Then came malware.
Malware in email
Since email could “do things” like run small programs within their display window, it didn’t take long for hackers to write malware not only taking advantage of that, but exploiting vulnerabilities those programs could reach. Those vulnerabilities allowed them to infect your machine with more malware.
All because you opened your email and looked at it.
Before it got better, it got worse.
Then came Outlook.
The Preview Pane
I say “Outlook,” but any email program offering what we now call a “preview pane” was vulnerable. Outlook was one of the earliest and most popular.
It worked like this:
- You left your email program open with the preview pane showing.
- You had your most recent email message displayed in the preview pane.
- You walked away.
- You got a new message. Outlook, keeping the selection at “most recent”, selected the newly arrived message1 and updated the preview pane with its contents.
Your email program “looked” at a message and your machine was infected. You weren’t even there.
Fortunately, this didn’t last long.
Modern email programs and sites don’t do that
That possibility was quickly fixed.
Along the way, vulnerabilities related to email-based exploits2 have also been getting fixed, regularly and quickly.
Additionally, images aren’t even displayed by default by most email programs. This is done for reasons related to spam, but it also increases your malware-related security.
Today, things are very different.
No, you cannot get infected by just looking
Opening an email is a safe thing to do.
Having your preview pane open is a safe thing to do, even if you’re not around.
Email programs and email services no longer allow the things that once upon a time made looking at an email risky.
You can still get infected if…
The one thing missing from the discussion above is attachments.
The ability to attach an arbitrary file to an email message predates HTML-formatted email. It’s a convenient way to transfer a file from one place to another.
Unfortunately, the word “arbitrary” is appropriate. Any file can be attached to an email, including programs that would infect your machine with malware.
That’s why one of the admonitions you hear over and over is to never open an attachment you’re not expecting and that you don’t know for certain is safe.
You can get infected by just looking at the contents of an attachment.
Email safety rules
- Keep Windows, your browser, your applications, and your email program up to date. If a vulnerability is discovered, you want it to be fixed as soon as possible to be as safe as possible.
- Run anti-malware software.
- Never open an attachment unless you expect it, you’re positive you know what it is, and you trust the sender.
- Never click on a link in an email message unless you’re positive you know where it’s going and you trust the sender.
Footnotes & References
1: This behavior has also changed. I believe Outlook no longer changes which message is selected.
2: One example: at one point, there were exploits in the software used to display images such that malware could be in maliciously-crafted image files. Not only have those exploits been resolved, but most email programs no longer display images from untrusted senders by default.