|
Posted by Sol on April 21, 2006, 7:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi there.
I use Internet Explorer 6 (sp1, yada) and Outlook Express 6 for
browsing and email. I keep IE's "Internet Zone" security stringently
configured and have OE configured to use the "Internet Zone's" security
settings. I haven't had a malware infection since I can remember, but
I'm worried about something. I'm paranoid (in ways) when it comes to
security, so I was wondering if anyone could tell me whether or not OE
ACTUALLY depends on IE's settings for its security, or if, for example,
there's a possibility that malicious active content in an email can
still run (whereas I have IE set to reject all active content in web
pages)?
Maybe I should make the question a little broader: is HTML email
dangerous in general, or only when active content is allowed? If it's
only dangerous when active content is allowed, can OE truly be
configured to reject active content? Or will I need to use something
else, such as Thunderbird?
(I'm ignoring the dangers of email attachments for this discussion,
BTW.)
Thanks many times over (in advance) for your help.
|
|
Posted by David H. Lipman on April 21, 2006, 7:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Hi there.
|
| I use Internet Explorer 6 (sp1, yada) and Outlook Express 6 for
| browsing and email. I keep IE's "Internet Zone" security stringently
| configured and have OE configured to use the "Internet Zone's" security
| settings. I haven't had a malware infection since I can remember, but
| I'm worried about something. I'm paranoid (in ways) when it comes to
| security, so I was wondering if anyone could tell me whether or not OE
| ACTUALLY depends on IE's settings for its security, or if, for example,
| there's a possibility that malicious active content in an email can
| still run (whereas I have IE set to reject all active content in web
| pages)?
|
| Maybe I should make the question a little broader: is HTML email
| dangerous in general, or only when active content is allowed? If it's
| only dangerous when active content is allowed, can OE truly be
| configured to reject active content? Or will I need to use something
| else, such as Thunderbird?
|
| (I'm ignoring the dangers of email attachments for this discussion,
| BTW.)
|
| Thanks many times over (in advance) for your help.
Since OE uses IE's HTML renderer and there are so many vulnerabilities that have
been
patched and exploited and some vulnerabilities that remain unpatched, there is a
slim chance
of receiving a well crafted HTML exploit based email. That is why I use Pegasus
Mail and I
always like to use HTML/Rich Text email and P-Mail's limited rendering of HTML
makes it much
safer to use than OE. { Not to mention it has much better spam tools }
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Sol on April 21, 2006, 8:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I use Pegasus Mail and I always like to use HTML/Rich Text email and P-Mail's
> limited rendering of HTML makes it much safer to use than OE.
Well... I took Pegasus Mail for a test drive, but I can't say I really
like the UI. I like Thunderbird--how does it stack up? (I've heard
some information to the effect that Mozilla-derived software is
insecure, but I'm guessing that's FUD.) Or is there nothing comparable
to P Mail?
Thanks a million.
Cheers.
|
|
Posted by Art on April 21, 2006, 9:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>David H. Lipman wrote:
>> I use Pegasus Mail and I always like to use HTML/Rich Text email and P-Mail's
> limited rendering of HTML makes it much safer to use than OE.
>
>Well... I took Pegasus Mail for a test drive, but I can't say I really
>like the UI. I like Thunderbird--how does it stack up? (I've heard
>some information to the effect that Mozilla-derived software is
>insecure, but I'm guessing that's FUD.) Or is there nothing comparable
>to P Mail?
They've both had critical vulnerabilites fixed, and nobody knows when
more will be found. There's no such thing as bullet proof software.
That said, T-Bird is a excellent choice. Just leave the default
setting of having scripting disabled. Like Pegasus, T-Bird won't
allow the user to Run email attackments.
I'd be far more worried about your use of IE. You should really only
use it for updating Windows security patches, and for known trusted
web sites. Make Firefox or Opera your default browser. That way you
are far safer with clickable links in email and newsgroups as well.
If you haven't checked out Opera, give it a try. It's measurably
faster in most cases than other browsers, and it has a decent
history when it comes to flaws and vulnerabilites.
Art
http://home.epix.net/~artnpeg
|
|
Posted by Sol on April 22, 2006, 12:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
> There's no such thing as bullet proof software.
I know and agree. I seek the software that stops the most bullets the
most of the time. =)
> I'd be far more worried about your use of IE. You should really only
> use it for updating Windows security patches, and for known trusted
> web sites. Make Firefox or Opera your default browser. That way you
> are far safer with clickable links in email and newsgroups as well.
I custom configured all my IE "Internet Zone" security settings so that
no content at all--at least that which IE gives you options to enable
or disable--is permitted to run by default (since all sites are, by
definition, in the "Internet Zone") unless I say otherwise (by adding
the site in question to my "Trusted Zone"). I can say for a certainty
that my browsing speed has noticeably increased as a consequence (YMMV)
and I see next to no popups (and only on sites that I put in the
"Trusted Zone"). No antimalware scan I've run has picked up anything
on any of my machines (and I've run multiple scans over a long period
of time). Now, to be fair, I don't often browse to sites that would
appear to host malicious active content, but I don't fear to click on a
seemingly shady link if it applies to what I'm browsing for, so I
believe I can say *sometimes* I expose myself to bad webcode.
Now, if you're saying that something above and beyond all that
exists--such as some IE vulnerability that could penetrate my security
settings, my watchfulness with email attachments and downloads (esp.
freeware and shadyware), my being situated behind a properly configured
CISCO 806 SOHO router / firewall, and my general skepticism about
anything that looks suspicious--then please, let me know! To be
honest, the only reason I use IE is because 1) I like its UI; 2) it
comes bundled with Windows and I don't like having to install a
different browser; 3) I've been under the impression that, at least as
far as web browsers are concerned, active content in web sites
themselves was the only vector of attack that you are exposed to simply
by using a particular browser.
To clarify that last statement, say browser X supports ActiveX, but
browser Y doesn't. Obviously, ActiveX code (malicious or otherwise)
will only run on browser X; however, that doesn't stop browser Y from
being compromised due to malware already present on the machine it's
being run from (gotten from, say, a trojan that a user downloaded in
ignorance).
Now, that's just what I thought; if I'm wrong, please tell me!
I mean, if there's something intrinsically wrong with IE--if I can't
trust that, for example, disabling "Run ActiveX Controls and Plugins"
ACTUALLY prevents ActiveX controls and plugins from running--then I've
been laboring under a misunderstanding and would greatly appreciate
being set right!
On the other hand, if IE is safe enough when properly configured and
you thought I meant something else, or you're just biased against IE (a
sentiment I understand though I don't practice it =) please let me
know anyway so that I don't worry about this. =)
Thanks for your input!
Cheers!
|
| Similar Threads | Posted | | Another Norton horror story? | January 25, 2006, 12:10 pm |
| AVG email scanner hangs/continues to scan endlessly after email download | November 10, 2006, 10:21 am |
| McAfee Email Proxy error with Eudora Email-crash! | August 10, 2006, 4:18 pm |
| OT: Spoofed Email | April 17, 2006, 1:58 pm |
| AVG Email scanning | June 14, 2006, 9:19 pm |
| AVG Email scanning | June 14, 2006, 9:19 pm |
| Why scan email? | June 19, 2006, 12:27 pm |
| from what country this email ?? | July 31, 2006, 12:21 am |
| Email I "sent" with viruses | November 3, 2006, 12:23 am |
| Ferom my email | January 25, 2007, 3:20 pm |
|
XML site map