Access Denied: Reducing the Risk of Viruses from HTML Email

\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]

How can I avoid the security risks associated with inbound HTML-formatted email? I don't like to depend solely on my antivirus products for protection from worms such as Klez that spread through HTML messages. What more can I do?

Your concern is warranted. Because many email clients (e.g., Microsoft Outlook) use Microsoft Internet Explorer (IE) to display HTML-formatted email messages, some viruses and worms take advantage of IE features to spread through HTML-formatted email messages. You have several options for minimizing this risk, but you'd probably rather eliminate it. If you use Outlook 2000 or later, you can prevent your email client from using IE to display HTML-formatted messages and instead display the message as plain text. First, Outlook 2002 supports a new registry value that causes the system to display as plain text any email that hasn't been digitally signed or encrypted. (See the Microsoft article "OL2002: Users Can Read Nonsecure E-mail As Plain Text" at;en-us;q307594.) This option is a great step forward and should protect you against most email worms that rely on IE vulnerabilities.

But what if a worm designer unleashes a worm that spreads by using signed email messages? If you want to convert all HTML messages to text or if you still use Outlook 2000, consider Russ Cooper's tool Nohtml, an Outlook add-on DLL that automatically converts HTML email messages to plain text in Outlook 2002 and rich text in Outlook 2000. You can download the tool at Nohtml doesn't work on Outlook 98 or earlier versions or on any version of Outlook Express. Also, Nohtml doesn't convert the email message to text before displaying it in the preview pane, so Cooper recommends (and I agree) that you disable the preview pane.

If you use Outlook 98 or earlier or Outlook Express, you still can take several actions to minimize risk. First, update IE with hotfixes and service packs to protect against email-borne malicious software (malware). Second, protect your systems against many email-borne worms by configuring Outlook or Outlook Express to apply IE's Restricted sites security settings to HTML email messages, as Figure 1 shows. To configure this setting in Outlook Express 6.0, select Tools, Options, then select the Security tab and click Restricted sites zone (More secure). Next, configure IE's Restricted Zone to use the strictest setting for every security option: Open IE; select Tools, Internet Options; and select the Security tab. Click the Restricted sites zone, then click Custom Level. Select Disable or Prompt for every setting in the Security Settings window so emails containing ActiveX worms or Java code won't execute. Third, you can select the Do not allow attachments to be saved or opened that could potentially be a virus check box (see Figure 1) to prevent users from opening dangerous attachments.

To reduce the risk of worms that spread through script files sent as email attachments such as .vbs files, change the file associations so that script files don't automatically execute when the Open action triggers, such as when a user double-clicks a file attachment. To change a file's association, open Control Panel, Folder Options and configure .vbs, .vbe, .wsf, .wsh, .js, and .jse files to run notepad.exe instead of WScript. You'll need to change any shortcuts that carry out legitimate scripts to explicitly run the script file with WScript or these scripts will stop working. Changing file associations won't stop all dangerous file types, but it will reduce your probability of infection.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.