It is common to be wary of links and attachments in emails but I have heard some people say that opening the emails themselves can be risky. Are vulnerabilities that can be exploited simply by opening an email common? Have there been any recent examples?
Asked
Active
Viewed 589 times
1 Answers
4
There have been such vulnerabilities that allows code execution when the message is opened or previewed. A recent example is the Microsoft Outlook Memory Corruption Vulnerability CVE-2018-0852 affecting all Outlook products from 2007 through 2016.
Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.
Similar vulnerabilities could be found on ANY email client, but the fewer features a client has, the fewer potential security risks, e.g. Mozilla mentions in Security Advisory 2019-12 about critical vulnerabilities:
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
This gets broader, if you also consider the possibilities provided by the intended features of some email clients, such as downloading any external content like images. Although your computer doesn't get infected, the sender can get information on when you open the email and possibly the location (IP address). Reading all messages in plain text mode enables the least additional features.
xxx
- 167
- 8
Esa Jokinen
- 16,100
- 5
- 50
- 55