Can an opened email infects a PC? Is Driveby Spam the new Internet threat?

It’s just about opening an email, without clicking any links from inside or without running any attachments, can this action infects our PC? I have always recommended to my readers to not run any attachment nor to click any link contained in an unsolicited email looking like a spam, to avoid PC infections with malware, but it seems that the subject must be treated more in-depth. I have read an article written by a german email security company named eleven which claims:

 The eleven Research Team has issued a warning about a new and particularly dangerous e-mail-borne method to infect PCs with viruses and Trojans. This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client. Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected. The new generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the e-mail is opened. This is similar to so-called driveby downloads which infect a PC by opening an infected Website in the browser. Driveby spam eliminates the detour via attachments or links in the e-mail and also affects cautious users which would never open an unknown attachment or link.

In short, they say that simply by viewing an HTML email, a malicious JavaScript code is executed and leads to an Exploit Kit webpage. They post also an image with a window of Mozilla Thunderbird email client presumably executing the malicious JavaScript and displaying:

Loading…Please Wait….

These are the notorious words that are displayed also when a user reach a webpage containing Phoenix Exploit Kit and the threat posed by opening such an email in these conditions is obvious, the main question is what and when the email clients allow JavaScript code to be executed. By default, in Thunderbird email client JavaScript support is disabled so for this attack to be successful, the user must enable JavaScript voluntarily. Because the risks are well-known, I don’t know many Thunderbird users with JavaScript enabled, in fact I know none, so the chances to be infected running a default Thunderbird installation are not small but ZERO.

Ok, but how about Microsoft Outlook email client? It executes by default JavaScript codes embedded in the emails? I made a little study on Outlook versions, it seems that Outlook 98, Outlook 2000 and Outlook 2003 used Internet Explorer engine for rendering HTML emails while the recent versions, Outlook 2007 and Outlook 2010 use Microsoft Word for rendering HTML emails. It’s interesting that, searching on the Internet I’ve found strong campaigns against using Microsoft Word as HTML emails rendering engine, veritable calls to arms for example take a look please at or Microsoft Breaks HTML Email Rendering in Outlook 2007 or Microsoft to ignore web standards in Outlook 2010 – enough is enough.

The complains I have read are basically about restricting the user’s ability to create beautiful emails and use of “smart art” in Outlook 2007 and 2010 with Word as HTML rendering engine. Well, to tell you the truth, all these complains, viewed in terms of emails security, make me smile.

The complains make me smile because there is a law: the safest emails are the plain-text emails.

No allowed embedded images that makes possible user’s tracking and encourages the spam, if a spammer send you an email containing a 1×1 pixel image and you view it, the spammer will know that somebody actually opened the email and read it and will send dozens of spam emails in return.

No active content enabled whatsoever, allowing JavaScript and iFrames in emails is asking for troubles.

For  Outlook security, Microsoft made a beneficial step switching from Internet Explorer HTML render engine to Microsoft Word, no very beautiful emails but more secure.

To end, theoretically it is possible to insert a malicious JavaScript code in an HTML email and that JavaScript to be executed in the victim’s computer leading to a computer infection, but not probable in real life, unless someone is stupid enough to enable JavaScript for his email client; simply there is not reason to do that.

Keep safe !

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *