A quick guide to email security and what's wrong with a generic antivirus program

Author: Serge M, developer of 1st Email Anti-Virus. Revised on 2004-05-01.

Feature-rich email is not only a powerful way of communication, but also a major security threat.


1. Why HTML email messages are dangerous

In addition to the usual email security headache - executable attachments - HTML messages introduce new problems.

1.1. HTML messages are executable

HTML is not a plain text, it is rendered and it may contain executable code. You get dozens emails daily. Every time you read an HTML email message - something could be executed. It is just like you would execute dozens of unknown programs daily.

What parts of the HTML message can be dangerous:

In the second part of the article we will take a closer look at the details of these technologies.

1.2. HTML messages can break your privacy

When you view an HTML message, embedded images and stylesheets are downloaded from a remote web server. This is called a "web bug". Your email client (via the built-in HTML viewer) sends to that web server the following information:

For example, the URL of the image downloaded may look like: http://example.com/image/98989892991813482, where 98989892991813482 may be the database key for your email address. Thus the sender will know for sure that you have read the message.

Also by issuing a cookie along with the image they can know your email address when you later visit a certain web site, thus having a clear personal identification.

2. You have to take it

You don't select the format of the email messages that you receive, the senders do. Also in most email clients you can not turn off the HTML mode. And if email is the communication tool that you have to use, you need to find a solution to this problem.

3. Real problems behind common antivirus tools

A typical antivirus scans a file to see if it has a virus that matches one of the patterns stored in the antivirus database. When a new, previously unknown, virus emerges, the antivirus is not able to catch it, unless the virus signature database has been updated. This situation has the following shortcomings:

Frequent updates are very hard to perform manually - users have to remember they need to do it and have to find the time for it. If the antivirus program will update automatically, there is another problem - the user's privacy. 

4. Antivirus programs and setting the most secure options in email clients

In October 2002 we made some testing to find out if using an antivirus and setting the most secure options in popular email client programs will help us to be safe from the possible attacks that use HTML / MIME email messages.

Threat / Can cope with? Popular generic antivirus software * Setting the most secure options in popular email client programs **
Iframe / MIME header / CLSID extension attack *** No ***** No  ****
Script attack No ***** Yes
Privacy violation via web bugs No No

* The following programs were tested: Norton Antivirus 2003, McAfee VirusScan Professional 6.02.
** The following programs were tested: Outlook Express 6.0, Outlook Express 5.5, Outlook 2000. Though not tested by us, Outlook XP / 2002 is reported to be vulnerable to similar attacks.
*** This is the most used type of attack, that uses iframe and then either MIME header or CLSID file extension trick. This vulnerability is exploited by many recent worms / viruses, including Klez and Nimda. The file is either executed automatically on message view, or a dialog pop-ups asking if to open or save a file.
**** Outlook 2000 is vulnerable to iframe based CLSID file extension attack, but MIME header attack may either succeed or fail, depending on the content-type value used and browser's settings. Typical browser configuration allows MIME header attack with "audio/x-wav" header.
***** While generic antivirus programs may recognize known viruses in scripts or exe files that are executed by email client, they don't block the possibility of the execution itself, leaving the user with the risk of executing malicious code that is not recognized as a virus.

So the conclusion is obvious - the protection was weak. To the date the antivirus makers probably have closed some of the holes mentioned above, but sadly the new vulnerabilities probably have been discovered by the hackers either.

5. A typical antivirus program is not enough to protect you

Having an antivirus is a very big step towards overall security, but generic antivirus software alone can't protect from all threats of HTML and MIME-based email. 

6. The solution

It has become obvious, that a new approach is required in dealing with HTML email.

1st Email Anti-Virus is a mail filter that deals with HTML-based contents and attachments. It copes with all known attacks that exploit HTML email vulnerabilities and all future attacks either. The program converts HTML messages to either plain text or to "safe HTML" and zips attachments, so they can not be launched automatically. Read more >

7. HTML / MIME email vulnerabilities details

Here we will see how viruses or trojans get into your computer, what holes they can use to be self-executed without your consent.

7.1. Attachments

Attachments obviously can contain harmful viruses or trojans. 

Many email clients require a special action from the user, such as double-clicking, to run an attachment. However, the most dangerous thing is that some email clients may contain bugs, by exploiting them a malicious virus sender can run the attachment without user knowledge or intervention. That is, a virus can be launched automatically just by previewing a message.

As an example, there is a known vulnerability, which is described as "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" which affects some versions of MS Outlook, and may affect other email clients which use Internet Explorer core to render HTML. That means that a hacker can send forged email message that automatically will run a virus or trojan. Almost all recent viruses and mail worms (such as Klez and Nimda) exploit this feature and hit many computers around the world.

Even if you can escape this kind of threat by using a filter that zips or detaches all attachments, never run any attachment that you are not sure. Scan all attachments with your antivirus program.

7.2. Images

Given the found bugs like "buffer overflow" or GZIP "double free" in web browsers, even embedded images can be dangerous - using the discovered holes a hacker can cause an arbitrary code to be executed. Not to mention privacy issues with "web bugs".

7.3. Bugs in email programs

Most popular email programs have bugs, which are exploited by mail worms and viruses to get into the victim's computer and to be launched. They include automatic execution of attachments, buffer overflows, etc. Many of them are related to MIME or HTML.

Some of the bugs may be patched by downloading the latest patches to your email program.

7.4. Iframe

An embedded iframe in email message could be used to run some VB script, and this script could have an access to the local file system. For instance, it could read or delete files. 

Besides that simple attack, in conjunction with email attachments with forged Content-Type and Content-ID headers, iframe allows to run any executable attachment, this is called MIME header attack. Klez, for example, uses this trick.  CLSID attack (forged file name ending in CLSID) also is used with an iframe.

7.5. Javascript and VB Scripts

They can easily trigger anything: for example, loading an iframe constructed in the script code. Also they can automatically send data to a web server by submitting the form without your consent, for example to send out the junk mail, or to use the recipient's computer as a tool for distributed denial-of-service attack. Fortunately, scripts are not executed in Outlook Express 5.5 and 6.0 if the most secure options are enabled.

7.6. ActiveX and Flash

ActiveX is a kind of compiled executable code, and thus can do anything their author wants. The protection by signing them can be compromised (there are real examples of this), also browser security settings, that prohibit running unsigned or unverified ActiveX controls, can be overcome either by launching HTML file from a local disk or simply by changing system registry entries.

Macromedia Flash plug-in interprets code, so it is also a potential threat. More, some bugs are reported recently in Flash plug-in, including buffer overflows, which in theory could be used to execute an arbitrary code.

The main point in dealing with this kind of problem is to translate HTML-based content to plain text or at the very least trying to filter all scripts and applets from emails.

8. Email Security Dos and Don'ts

9. Test if your email software is vulnerable to HTML based attacks

Please visit our security testing zone and receive or download a test email message.

10. References

© 1999-2016 ZZEE, Terms of use