Author: Serge M, developer of 1st Email Anti-Virus. Revised on 2004-05-01.
Feature-rich email is not only a powerful way of communication, but also a major security threat.
In addition to the usual email security headache - executable attachments - HTML messages introduce new problems.
HTML is not a plain text, it is rendered and it may contain executable code. You get dozens emails daily. Every time you read an HTML email message - something could be executed. It is just like you would execute dozens of unknown programs daily.
What parts of the HTML message can be dangerous:
In the second part of the article we will take a closer look at the details of these technologies.
When you view an HTML message, embedded images and stylesheets are downloaded from a remote web server. This is called a "web bug". Your email client (via the built-in HTML viewer) sends to that web server the following information:
For example, the URL of the image downloaded may look like: http://example.com/image/98989892991813482, where 98989892991813482 may be the database key for your email address. Thus the sender will know for sure that you have read the message.
Also by issuing a cookie along with the image they can know your email address when you later visit a certain web site, thus having a clear personal identification.
You don't select the format of the email messages that you receive, the senders do. Also in most email clients you can not turn off the HTML mode. And if email is the communication tool that you have to use, you need to find a solution to this problem.
A typical antivirus scans a file to see if it has a virus that matches one of the patterns stored in the antivirus database. When a new, previously unknown, virus emerges, the antivirus is not able to catch it, unless the virus signature database has been updated. This situation has the following shortcomings:
Frequent updates are very hard to perform manually - users have to remember they need to do it and have to find the time for it. If the antivirus program will update automatically, there is another problem - the user's privacy.
In October 2002 we made some testing to find out if using an antivirus and setting the most secure options in popular email client programs will help us to be safe from the possible attacks that use HTML / MIME email messages.
|Threat / Can cope with?||Popular generic antivirus software *||Setting the most secure options in popular email client programs **|
|Iframe / MIME header / CLSID extension attack ***||No *****||No ****|
|Script attack||No *****||Yes|
|Privacy violation via web bugs||No||No|
* The following programs were tested: Norton Antivirus 2003, McAfee VirusScan Professional 6.02.
** The following programs were tested: Outlook Express 6.0, Outlook Express 5.5, Outlook 2000. Though not tested by us, Outlook XP / 2002 is reported to be vulnerable to similar attacks.
*** This is the most used type of attack, that uses iframe and then either MIME header or CLSID file extension trick. This vulnerability is exploited by many recent worms / viruses, including Klez and Nimda. The file is either executed automatically on message view, or a dialog pop-ups asking if to open or save a file.
**** Outlook 2000 is vulnerable to iframe based CLSID file extension attack, but MIME header attack may either succeed or fail, depending on the content-type value used and browser's settings. Typical browser configuration allows MIME header attack with "audio/x-wav" header.
***** While generic antivirus programs may recognize known viruses in scripts or exe files that are executed by email client, they don't block the possibility of the execution itself, leaving the user with the risk of executing malicious code that is not recognized as a virus.
So the conclusion is obvious - the protection was weak. To the date the antivirus makers probably have closed some of the holes mentioned above, but sadly the new vulnerabilities probably have been discovered by the hackers either.
Having an antivirus is a very big step towards overall security, but generic antivirus software alone can't protect from all threats of HTML and MIME-based email.
It has become obvious, that a new approach is required in dealing with HTML email.
1st Email Anti-Virus is a mail filter that deals with HTML-based contents and attachments. It copes with all known attacks that exploit HTML email vulnerabilities and all future attacks either. The program converts HTML messages to either plain text or to "safe HTML" and zips attachments, so they can not be launched automatically. Read more >
Here we will see how viruses or trojans get into your computer, what holes they can use to be self-executed without your consent.
Attachments obviously can contain harmful viruses or trojans.
Many email clients require a special action from the user, such as double-clicking, to run an attachment. However, the most dangerous thing is that some email clients may contain bugs, by exploiting them a malicious virus sender can run the attachment without user knowledge or intervention. That is, a virus can be launched automatically just by previewing a message.
As an example, there is a known vulnerability, which is described as "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" which affects some versions of MS Outlook, and may affect other email clients which use Internet Explorer core to render HTML. That means that a hacker can send forged email message that automatically will run a virus or trojan. Almost all recent viruses and mail worms (such as Klez and Nimda) exploit this feature and hit many computers around the world.
Even if you can escape this kind of threat by using a filter that zips or detaches all attachments, never run any attachment that you are not sure. Scan all attachments with your antivirus program.
Given the found bugs like "buffer overflow" or GZIP "double free" in web browsers, even embedded images can be dangerous - using the discovered holes a hacker can cause an arbitrary code to be executed. Not to mention privacy issues with "web bugs".
Most popular email programs have bugs, which are exploited by mail worms and viruses to get into the victim's computer and to be launched. They include automatic execution of attachments, buffer overflows, etc. Many of them are related to MIME or HTML.
Some of the bugs may be patched by downloading the latest patches to your email program.
Besides that simple attack, in conjunction with email attachments with forged Content-Type and Content-ID headers, iframe allows to run any executable attachment, this is called MIME header attack. Klez, for example, uses this trick. CLSID attack (forged file name ending in CLSID) also is used with an iframe.
ActiveX is a kind of compiled executable code, and thus can do anything their author wants. The protection by signing them can be compromised (there are real examples of this), also browser security settings, that prohibit running unsigned or unverified ActiveX controls, can be overcome either by launching HTML file from a local disk or simply by changing system registry entries.
Macromedia Flash plug-in interprets code, so it is also a potential threat. More, some bugs are reported recently in Flash plug-in, including buffer overflows, which in theory could be used to execute an arbitrary code.
The main point in dealing with this kind of problem is to translate HTML-based content to plain text or at the very least trying to filter all scripts and applets from emails.
Please visit our security testing zone and receive or download a test email message.