Walter Moore... Canadian Eh!

Security Issue with HTML Email


Updated 2002-01-03
This is actually a problem with virtually all email software that displays HTML email.
There is a way to stop this and almost all other HTML e-mail attacks and of course it is not simple. I have provided instructions for Microsoft Outlook but the concept of the protection is the same for all email software. I am amazed at the default settings for Microsoft Outlook. Basically wide open security, no protection whatsoever.


2001-08-21
I have recently found that my looping browser bug I reported years ago has reared it's ugly head again. Before you could crash Windows9* by creating an HTML page that opened an infinite loop of new windows of itself. The system would come to a standstill. This was resolved by Microsoft(IE4 If I remember right). Well I can do the same thing if you use IE and Microsoft Outlook or just Outlook. You could actually do this since Outlook supported HTML email.

Imagine... You are working on that project for hours and see an email from someone and think you should open it... THINK AGAIN!!!! Open it and you could lose all your hard work. That email can crash your system. Your only chance is to save everything just before you opened that mail. Would that upset you? Even if you were not working on anything special I don't think you would like to have to power off your system and restart because you read an email.

Well it can and anyone that can write script can do it to you. They don't even need a website... They can send it to you in email... soon as you view it... BOOM your system is toast. You will have to reboot. You may even have to power off your computer to get it to shutdown. That is after you tried lot's of button clicks to get out of the problem.

The fact Microsoft does not give you a choice to stop this invasive "website" really ticks me off. Is no one thinking of even basic security at Microsoft? The concept of HTML email is nice but abuse kills us all and HTML email was obviously going to abused. 98% of the email that I get that is HTML is advertising!!! Wouldn't it be nice to be able to turn this off completely? Or at least turn off active content(script/ActiveX/Java...) for email. I tried to BLOCK all HTML email but have not figured a way that Outlook will let you. I wrote a previous opinion on HTML email pointing out it's problems.

The only good thing is it is not a virus per say and will not affect your system in the future unless you open it again.

If some one was to get just a little more creative I believe you could cause more long term problems quite easily. I have thought of at least a few myself but don't want to promote hacking. Matter of fact I do not feel comfortable providing this much info on how to do it.

At least Outlook will detect there was a problem with the email and give you a chance to delete the bad mail when you restart outlook Make sure you delete the email immediately upon restarting Outlook. If you don't, simply selecting it later will cause your system to crash again.

If you don't believe me send me your email address, I will confirm you want me to crash your system. If you confirm I will send you an email to crash your Windows system.

This issue has been reported by myself to Microsoft. The concept could easily be extended to other software. The same basic concepts are being used to transmit malicious viruses all over the Internet.

What can you do?

You can use another email software that does not display HTML pages(at least not automatically). I used to use Eudora, I think I will go back. Since there are huge security issues with viewing HTML email, particularly with Outlook this is probably the best choice.
Or... Talk about shooting myself in the foot... You could disable scripts in your security settings in Internet Explorer. Unfortunately then surfing the web is just about useless. Even worse you won't be able to come to this cool site... but I would remind you that you do not have script enabled and you could adjust. You could put this site in a trusted site list and enable scripts for trusted sites only.