SEARCH

How-To Geek

HTG Explains: Why You Can’t Get Infected Just By Opening an Email (and When You Can)

image

Email viruses are real, but computers aren’t infected just by opening emails anymore. Just opening an email to view it is safe – although attachments can still be dangerous to open.

Past security problems with Microsoft Outlook resulted in a lot of damage, and some people still believe that just opening an email is dangerous. This isn’t true.

Why Opening an Email is Safe

Emails are essentially text or HTML documents (web pages). Just like opening a text file or web page in your browser should be safe, opening an email message should also be safe. Whether you are using Hotmail, Gmail, Yahoo Mail, Outlook, Thunderbird, or another web-based or desktop email client, opening an email – even a suspicious looking one – should be safe.

image

However, some emails may try to infect you after you open them. They may contain malicious programs as attachments or have links to malicious websites full of malware and scams. You should only run trustworthy attachments – even if someone you trust sends you file attachment with a .exe file or another program file, you probably should not open it. They may be compromised.

As with everything on the web, you shouldn’t run programs that try to automatically download onto your computer after you click a link.

Why Opening Emails Was Once Unsafe

In the past, Microsoft Outlook had a serious security problem. Emails – which were once just plain text – are also allowed to contain HTML code: the same code that web pages like this one are written in. An Outlook vulnerability allowed emails to run JavaScript code and infect your computer. For this reason, just opening an email was potentially dangerous.

However, this vulnerability was fixed. Emails cannot use JavaScript. Modern email clients don’t even automatically display images in emails. As with web browsers, operating systems, and other computer programs, security holes are occasionally discovered and patched.

As long as you are using up-to-date software – including your mail client, browser, browser plugins, and operating system – you should be able to open email messages and view them without fear.

Email Safety Tips

File attachments and links in email can still present danger. Follow these best practices to stay safe:

  • Keep Your Mail Client, Web Browser, and Operating System Updated: Software updates are important, as the bad guys regularly find holes and try to exploit them. Software updates close these holes and protect you. If you are running an outdated browser and email client, you could be compromised. (If you have Java installed, you should uninstall it or at least disable the browser plugin to protect yourself, too.)
  • Use Antivirus Software: On Windows, antivirus software is an important layer of protection. It can help protect you from both mistakes and software bugs that allow malware to run without your permission.
  • Don’t Run Dangerous Attachments: If you get a PDF file from someone, it’s probably safe to open (especially if your PDF reader is up-to-date). However, if you suddenly get an email with a .exe file or another potentially dangerous type of file you aren’t expecting – even if it’s from someone you know – you probably shouldn’t run the attachment. Exercise extreme caution with email attachments – they are still a common source of infection.
  • Be Careful of Links: Clicking links should be safe, just as loading a website in your browser should be safe. However, if the link looks like it leads to a site packed with malware and acai berry scams, you probably shouldn’t click it. If you do click a link, don’t download and run any potentially dangerous files. You should also watch out for phishing – if you click a link in an email that appears to be from your bank and end up on a similar-looking website, it may not actually be your bank’s website, but a clever imposter.

For more information about dangerous phishing emails, read Online Security: Breaking Down the Anatomy of a Phishing Email.


There are a variety of problems you could encounter with email: dangerous file attachments, scams that try to take your money, phishing emails that attempt to steal your personal data, and links to dangerous websites. However, just opening an email shouldn’t cause any problems.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 01/30/13

Comments (26)

  1. LadyFitzgerald

    Not everyone runs Outlaw (aka outlook). What about web based email?

  2. BobbyPhoenix

    All emails web based or not are covered. “Whether you are using Hotmail, Gmail, Yahoo Mail, Outlook, Thunderbird, or another web-based or desktop email client, opening an email – even a suspicious looking one – should be safe.”

  3. Iszi

    Isn’t it a bit self-contradictory to be making the blanket statement that “Just opening an e-mail to view it is safe…” while also having to remind people to keep their software updated? If simply opening an e-mail was truly safe, there would not be any need for security updates to e-mail software.

    The statement “If you are running an outdated browser and email client, you could be compromised.” is also incomplete and misleading. Even fully up-to-date e-mail clients can be compromised via zero-day exploits. For the sake of amusement, let’s take zero-days out of the equation. What do we have, then? There are still a myriad of public software vulnerabilities out there for which the vendor has either chosen not to issue a patch, or has delayed patching for arbitrary reasons.

    Now, is just opening an e-mail safer now than it was five or ten years ago? Certainly. E-mail software vendors have gotten a lot smarter about what they allow an e-mail to do by default. Is just opening an e-mail safer than actually opening the attachments or following any of its links? Almost definitely. Does this make opening suspicious e-mails safe, though? NO.

    Simply opening suspicious e-mails is sort of like driving down the highway without a seat belt. Sure, chances are relatively slim that you’re going to get in an accident. However, just about everybody will eventually have one. Without that seat belt, it’s going to hurt real bad.

    Oh, and I think I forgot to mention this particular highway has a LOT of student drivers.

  4. Ron

    How about images? When you download an image, can it contain nasties?

  5. spike

    @Ron: It’s possible, although that hasn’t been as commonly used as an attack vector in more recent times. That’s why most mail clients don’t display linked images by default.

  6. S. H.

    I am tempted to wonder how many people will walk away from this story and think they are safe in opening suspect emails since the threats change all the time. Not too long ago we had a vulnerability to do with JPEGs, and the interpretive library was so ubiquitous it was in Windows, Mac, and Linux. The safest thing to do with an email you think is dangerous is to delete it. There are far too many intelligent and capable malware authors out there to think the average user will always be safe with their inbox.

    My recommendation is to never use IE, use web based email, and not to circumvent the picture display feature. And stick to a non standard web browser if you really can, Chrome, IE, and Firefox are too popular and exploiting them gives more payoff to the authors than coding for a niche browser. Opera is always a nice option, fire it up and put its homepage to your inbox, essentially treating the browser like a mail client.

  7. spike

    @Iszi: The highway analogy is a good one. Fortunately, an infected computer doesn’t mean physical bodily harm, though. :)

  8. Iszi

    @spike …yet.

  9. Iszi

    @Ron In addition to @spike’s comment, the more likely threat with images these days is that they may be used to track or verify your e-mail address. When you allow an e-mail to display hotlinked images (as opposed to images attached in the message) a malicious e-mail author can obtain your IP address and some other information. Usually, IP addresses are relatively harmless on their own. However, it does strip away some privacy. Perhaps the most important thing you’ll tell the attacker by downloading the image, is that you do read e-mails sent to that address – and, even more importantly, you do read *his* e-mails.

  10. TheFu

    I respectfully disagree. Here is why: https://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/

    There are probably thousands of unknown cracks against MS-Windows in the wild. Respected security researchers say it takes about 2 weeks to create a new way to gain elevated permissions on any version of MS-Windows.

    We never know about these new attacks until they become popular enough to be seen by security teams. That doesn’t mean they do not exist. Before the best attacks become known, they are uses against high-value targets. Most of us ARE NOT high value targets, but if you are in a position with access inside a company, chances are you are a target. That includes help desk workers with remote control to other PCs.

    Should you be afraid just looking at a list of emails with subjects? Perhaps, but there is not much anyone can do about it when running a thick client. Webmail has different attack vectors – like when just viewing a website icon provided elevated access. I do not have any belief that every hole in every OS has been closed. You shouldn’t either.

    What is the solution?
    * backups, backups, backups – make certain they are versioned and not just a mirror.
    * stay patched at the OS level.
    * stay patched at the application level.
    * avoid dangerous parts of the internet.
    * avoid ad networks that use either flash or javascript – these are real vectors of attack
    * remove java unless you need it to make money. Java is not javascript.
    * user your PC like you do not have any AV programs running. Even the best AV is only 50% effective in the real world.
    * If you didn’t go looking for a download, do not accept it. Do you really want to install Ransom-ware? https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/
    * Linux, OSX, Android, i-whatever AND Windows people are all targets. We have something they want.
    * “They” are not out to get most people as individuals, but “they” are out to get everyone. “They” use tireless computers, most are not even their computers, to try to crack into our emails, our blogs, or systems, our routers, our companies.

    There are many different ways that our PCs and data can be used for profit: The value of a hacked PC: https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ explains.

  11. Rick Bishop

    Hackers thrive on the paranoia and chaos they can create in the lives of others, just as many people are drawn to being paranoid. One doesn’t need look any further than their favorite television news program to be certain of that fact.

    There are three rules for email I always watch for.
    1. If the email only has a link in it – I delete it
    2. If the subject line has any gibberish whatsoever – I delete it
    3. If the email is only a little suspicious – I delete it

    * In the past, over 80% of all spoofed emails I’ve received have come from Yahoo
    * I use IE and Outlook because they are the easiest to use for me. Firefox is my secondary browser, in case IE breaks and regardless of whatever browser is used … They all break at one point or another. Google, like Yahoo, has a hard time respecting the privacy of their end users.

    Good article and about time we stopped giving in to the bullies on the playground.

  12. Midwest guy

    One word: Sandboxie

  13. ned11wils

    Heyy iszi. Heyy spike. You guys should be a team, y’know?

  14. williambaugh

    just don’t open any .com , .exe , .bat , .js , .vs , .vbs

    the highway / seat belt is good, but have you ever seen a person killed because the belt jammed and wouldn’t let go??
    sorry, seat belts are not for me, besides insurance companies will tell you they save you, but they really only save the company from paying off lots of money for long term medical issues instead, its just a simple coffin.

  15. gyffes

    I had something interesting happen once not too many years ago.. opened a message in Thunderbird (mac) and IMMEDIATELY FF launched and tried to load a page. Fortunately, Mozilla had already marked the page as unsafe, but I never was able to view the text of the message b/c every time I tried opening it, Firefox would pop to the fore.

  16. FOAD

    Didn’t we just go through a big argument about Java versus JavaScript? And here you just said, and I quote, “An Outlook vulnerability allowed emails to run JavaScript code and infect your computer.

    So there you have it. Not only is Java potentially insecure but Java SCRIPTS are too! Regardless if it’s a email client or a browser executing HTML, if the added code says “Java” then use with extreme caution or better yet, just don’t do it. (Although you might want to try the “No Script” extension if you use Firefox.)

    I’m also not forgetting that you said to keep things updated. But then there are some people who don’t or can’t! You really need to consider that most free email accounts (except for those possibly with GMail) often only allow opening of messages via a BROWSER which might not be updated as regularly as Windows is. Therefore, it is possible to unwittingly be running malicious code that outright directs your browser to another web page, likely in a new window/tab. So any non-updated browser like Opera, Chrome, Firefox or even Microsoft’s own Internet Explorer could be executing malicious code at least until any holes are plugged within the BROWSER and/or it’s add-on’s/plugins/extensions. And should I point out the lesser known browsers such as Seamonkey or even Konquorer where updates are rare – assuming they’re even available?

    Now as far as email clients go, not everyone uses Outlook either. I personally find it a bit arrogant to somehow assume everyone even uses a dedicated client. But where Outlook is concerned, just consider the fact that various older versions could be out of date right now! It may be worth noting that some editions of Office 2003 for example, do require a service pack to be manually applied. So if you think you’re somehow “safe” using a client like Outlook then think again! (You might also note that Office 2003 will continue to be supported until 2014 too.)

    So the standard rule of thumb to NOT open email from untrusted/unknown sources is STILL GOOD ADVICE! And although I do see your point that it’s not as dangerous as it once was, I just don’t think I’d go as far as to imply that it’s somehow “safe” or that you can’t get infected.

  17. Marc

    Can anyone confirm that java is NOT required by any sites at this time. I’m wondering abut the comment that Java MUST be disabled. I guess I haven’t been paying attention if Java does not “exist” anymore and therefore is not useful/needed.
    Curious,
    Marc

  18. DiggerP

    Look at what “MIDWEST GUY” posted : Sandboxie http://sandboxie.com/
    My first line of defense and has been for years. However ,from the comments it looks like nobody is listening.
    (to their own detriment I might add)

  19. DiggerP

    @ Marc,

    No .it can’t be confirmed that Java is not required. While possibly in the minority ,lots of sites require
    Java to function properly, including some banking sites for on-line banking,stock trading programs
    and many on-line game sites.File hosting sites when uploading a file.
    Pogo is a popular game for many and it requires Java.
    So do many devices like modems and routers eg. Try to set-up your router without Java and you’ll fail.
    Internet Speed tests often use Java ,although Flash is used as well.
    One method to try is to set one browser with Java enabled and use it only when websites require it
    and when it’s important for you. Use another browser with Java disabled for regular browsing.
    Regardless which method you use ,at least browse sandboxed ,see my post above.

  20. Richard Steven Hack

    The vast majority of Web sites are not dependent on Java and many that used to are being redone in HTML5 which provides a lot of the functionality. If you disable the Java browser plugin and you run into a site that requires it, the site or your browser will tell you and you can re-enable it. Really, disable the plugin unless you need it. There are just too many new Java security holes to use the browser plugin.

    It’s all right to have the Java run time software installed on your system if you’re running something that needs it. Just disable the plugin.

    As for opening links in email safely, be aware that it is possible to embed harmful code invisibly in links that may affect what site you access. It’s best to cut and past a link into the browser address bar so you can inspect it as text before going to it. It’s really best to disable HTML display of emails completely. Force all emails to be displayed as text.

    The problem with all such security issues is that new ways are being found all the time to evade the supposed “security controls” embedded in browsers and email clients, as well as the operating system itself. There’s no substitute for being aware and suspicious of ALL emails.

    There is, for example, no such thing as an email from a “trusted source”. It’s an EMAIL – not a “trusted source” regardless of who you THINK it came from. ALL emails should be regarded as “untrusted”.

  21. Cody

    @DiggerP Router setup is HTML based NOT java. If it has anything java* it is javascript which is NOT oracle’s/Sun’s Java.

  22. TheFu

    If you are a target, there isn’t much you can do.
    This http://www.h-online.com/security/news/item/Report-Chinese-hackers-attacked-the-New-York-Times-1794767.html describes how the NYT was attacked AND hacked. Every employee’s password was stolen and at 1 building, every PC inside was loaded with malware.

    Email is believed to have been the first method used to gain access.

  23. JD Rosen

    Anybody that uses Yahoo for anything other than a trash can should be shot.

  24. Matt Gilbert

    Just use linux, and any of the fine email clients available.

  25. KateHiggs22

    If you think George`s story is neat…, 2 weeks ago my auntie basically also recieved a check for $6074 workin an eleven hour week from there apartment and they’re roomate’s step-mother`s neighbour was doing this for four months and earned more than $6074 parttime on their pc. applie the guidelines on this page, Fox76.comCHECK IT OUT

  26. John

    Someone mentioned the hazzard of using seat belts. Consider this. When you hit something the car stops but you don’t. The seat belt will prevent you from being thrown into the dash or steering wheel preventing serious harm.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!