Preview Pane security - Mozilla

This is a discussion on Preview Pane security - Mozilla ; On another list, a user who is using 'Thunderbird 1.5.0.12 (Windows/20070509)' wrote: ...I turn off the Preview Pane; the Preview Pane is highly insecure anyway, so turning it off is always a good idea. I was not aware of any ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Preview Pane security

  1. Preview Pane security


    On another list, a user who is using 'Thunderbird 1.5.0.12
    (Windows/20070509)' wrote:

    ...I turn off the Preview Pane; the Preview Pane is highly insecure
    anyway, so turning it off is always a good idea.

    I was not aware of any problems so I asked him for an explanation. He
    replied:

    The Preview Pane *opens* the message. Opening a message can trigger
    certain
    forms of attack ...

    When I questioned this he gave this as a source:

    Thunderbird may well be safe in this regard but
    http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    otherwise.

    That site says:

    The very first thing to do when you are using an e-mail client is to
    disable the Preview Pane (Message Pane for Thunderbird users). Many
    users use the Preview Pane because it provides a quick way of
    reading your mail without cluttering your desktop with a bunch of
    windows. But you sacrifice security for luxury when you use the
    Preview Pane.

    Is there any validity to this? It is my understanding that this applies
    to M$ Lookout (I have never used it) but not to Thunderbird. I know it
    didn't apply to Pegasus which I used to use.

    --
    Larry I. Gusaas
    Moose Jaw, Saskatchewan

    Website: http://larry-gusaas.com

  2. Re: Preview Pane security

    Larry Gusaas wrote:
    > On another list, a user who is using 'Thunderbird 1.5.0.12
    > (Windows/20070509)' wrote:
    >
    > ...I turn off the Preview Pane; the Preview Pane is highly insecure
    > anyway, so turning it off is always a good idea.
    >
    > I was not aware of any problems so I asked him for an explanation. He
    > replied:
    >
    > The Preview Pane *opens* the message. Opening a message can trigger
    > certain
    > forms of attack ...
    >
    > When I questioned this he gave this as a source:
    >
    > Thunderbird may well be safe in this regard but
    > http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    > otherwise.
    >
    > That site says:
    >
    > The very first thing to do when you are using an e-mail client is to
    > disable the Preview Pane (Message Pane for Thunderbird users). Many
    > users use the Preview Pane because it provides a quick way of
    > reading your mail without cluttering your desktop with a bunch of
    > windows. But you sacrifice security for luxury when you use the
    > Preview Pane.
    >
    > Is there any validity to this? It is my understanding that this applies
    > to M$ Lookout (I have never used it) but not to Thunderbird. I know it
    > didn't apply to Pegasus which I used to use.
    >


    And what do you expect from the guy who's last name is "de Beer"

    --
    Please do not email me for help. Reply to the newsgroup
    only. And only click on the Reply button, not the Reply All
    or Reply to Author. Thanks!

    Peter Potamus & His Magic Flying Balloon:
    http://www.toonopedia.com/potamus.htm

  3. Re: Preview Pane security

    On 8/1/07 1:57 PM, Peter Potamus the Purple Hippo wrote:
    > Larry Gusaas wrote:
    >> On another list, a user who is using 'Thunderbird 1.5.0.12
    >> (Windows/20070509)' wrote:
    >>
    >> ...I turn off the Preview Pane; the Preview Pane is highly insecure
    >> anyway, so turning it off is always a good idea.
    >>
    >> I was not aware of any problems so I asked him for an explanation. He
    >> replied:
    >>
    >> The Preview Pane *opens* the message. Opening a message can trigger
    >> certain
    >> forms of attack ...
    >>
    >> When I questioned this he gave this as a source:
    >>
    >> Thunderbird may well be safe in this regard but
    >> http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    >> otherwise.
    >>
    >> That site says:
    >>
    >> The very first thing to do when you are using an e-mail client is to
    >> disable the Preview Pane (Message Pane for Thunderbird users). Many
    >> users use the Preview Pane because it provides a quick way of
    >> reading your mail without cluttering your desktop with a bunch of
    >> windows. But you sacrifice security for luxury when you use the
    >> Preview Pane.
    >>
    >> Is there any validity to this? It is my understanding that this
    >> applies to M$ Lookout (I have never used it) but not to Thunderbird.
    >> I know it didn't apply to Pegasus which I used to use.
    >>

    >
    > And what do you expect from the guy who's last name is "de Beer"
    >


    I don't understand how this relates to the question I asked. Please
    respond to my question without your meaningless OT gibberish.

    --
    Larry I. Gusaas
    Moose Jaw, Saskatchewan

    Website: http://larry-gusaas.com

  4. Re: Preview Pane security

    Larry Gusaas wrote:
    > On 8/1/07 1:57 PM, Peter Potamus the Purple Hippo wrote:
    >> Larry Gusaas wrote:
    >>> On another list, a user who is using 'Thunderbird 1.5.0.12
    >>> (Windows/20070509)' wrote:
    >>>
    >>> ...I turn off the Preview Pane; the Preview Pane is highly insecure
    >>> anyway, so turning it off is always a good idea.
    >>>
    >>> I was not aware of any problems so I asked him for an explanation. He
    >>> replied:
    >>>
    >>> The Preview Pane *opens* the message. Opening a message can trigger
    >>> certain
    >>> forms of attack ...
    >>>
    >>> When I questioned this he gave this as a source:
    >>>
    >>> Thunderbird may well be safe in this regard but
    >>> http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    >>> otherwise.
    >>>
    >>> That site says:
    >>>
    >>> The very first thing to do when you are using an e-mail client is to
    >>> disable the Preview Pane (Message Pane for Thunderbird users). Many
    >>> users use the Preview Pane because it provides a quick way of
    >>> reading your mail without cluttering your desktop with a bunch of
    >>> windows. But you sacrifice security for luxury when you use the
    >>> Preview Pane.
    >>>
    >>> Is there any validity to this? It is my understanding that this
    >>> applies to M$ Lookout (I have never used it) but not to Thunderbird.
    >>> I know it didn't apply to Pegasus which I used to use.
    >>>

    >> And what do you expect from the guy who's last name is "de Beer"
    >>

    >
    > I don't understand how this relates to the question I asked. Please
    > respond to my question without your meaningless OT gibberish.
    >


    geeez, what a pain. Can't take a little humor? Guess not.
    So, I'll beat you to the punch bowl:

    P L O N K !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    --
    Please do not email me for help. Reply to the newsgroup
    only. And only click on the Reply button, not the Reply All
    or Reply to Author. Thanks!

    Peter Potamus & His Magic Flying Balloon:
    http://www.toonopedia.com/potamus.htm

  5. Re: Preview Pane security



    Larry Gusaas wrote:
    > On another list, a user who is using 'Thunderbird 1.5.0.12
    > (Windows/20070509)' wrote:
    >
    > ...I turn off the Preview Pane; the Preview Pane is highly
    > insecure anyway, so turning it off is always a good idea.
    >
    > I was not aware of any problems so I asked him for an explanation. He
    > replied:
    >
    > The Preview Pane *opens* the message. Opening a message can
    > trigger certain
    > forms of attack ...
    >
    > When I questioned this he gave this as a source:
    >
    > Thunderbird may well be safe in this regard but
    > http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    > otherwise.
    >
    > That site says:
    >
    > The very first thing to do when you are using an e-mail client is
    > to disable the Preview Pane (Message Pane for Thunderbird users).
    > Many users use the Preview Pane because it provides a quick way of
    > reading your mail without cluttering your desktop with a bunch of
    > windows. But you sacrifice security for luxury when you use the
    > Preview Pane.
    >
    > Is there any validity to this? It is my understanding that this
    > applies to M$ Lookout (I have never used it) but not to Thunderbird.
    > I know it didn't apply to Pegasus which I used to use.


    I asked this very same question here over a year ago. It was clear to me
    from the replies that nobody really knew and therefore, even with T-bird set
    to block remote images, I don't use it.



  6. Re: Preview Pane security



    Roger Fink wrote:
    > Larry Gusaas wrote:
    >> On another list, a user who is using 'Thunderbird 1.5.0.12
    >> (Windows/20070509)' wrote:
    >>
    >> ...I turn off the Preview Pane; the Preview Pane is highly
    >> insecure anyway, so turning it off is always a good idea.
    >>
    >> I was not aware of any problems so I asked him for an explanation. He
    >> replied:
    >>
    >> The Preview Pane *opens* the message. Opening a message can
    >> trigger certain
    >> forms of attack ...
    >>
    >> When I questioned this he gave this as a source:
    >>
    >> Thunderbird may well be safe in this regard but
    >> http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    >> otherwise.
    >>
    >> That site says:
    >>
    >> The very first thing to do when you are using an e-mail client is
    >> to disable the Preview Pane (Message Pane for Thunderbird users).
    >> Many users use the Preview Pane because it provides a quick way
    >> of reading your mail without cluttering your desktop with a
    >> bunch of windows. But you sacrifice security for luxury when you
    >> use the Preview Pane.
    >>
    >> Is there any validity to this? It is my understanding that this
    >> applies to M$ Lookout (I have never used it) but not to Thunderbird.
    >> I know it didn't apply to Pegasus which I used to use.

    >
    > I asked this very same question here over a year ago. It was clear to
    > me from the replies that nobody really knew and therefore, even with
    > T-bird set to block remote images, I don't use it.


    And it is a very relevant question.



  7. Re: Preview Pane security

    On 01.08.2007 14:40, Larry Gusaas wrote:

    --- Original Message ---

    > On another list, a user who is using 'Thunderbird 1.5.0.12
    > (Windows/20070509)' wrote:
    >
    > ...I turn off the Preview Pane; the Preview Pane is highly insecure
    > anyway, so turning it off is always a good idea.
    >
    > I was not aware of any problems so I asked him for an explanation. He
    > replied:
    >
    > The Preview Pane *opens* the message. Opening a message can trigger
    > certain
    > forms of attack ...
    >
    > When I questioned this he gave this as a source:
    >
    > Thunderbird may well be safe in this regard but
    > http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    > otherwise.
    >
    > That site says:
    >
    > The very first thing to do when you are using an e-mail client is to
    > disable the Preview Pane (Message Pane for Thunderbird users). Many
    > users use the Preview Pane because it provides a quick way of
    > reading your mail without cluttering your desktop with a bunch of
    > windows. But you sacrifice security for luxury when you use the
    > Preview Pane.
    >
    > Is there any validity to this? It is my understanding that this applies
    > to M$ Lookout (I have never used it) but not to Thunderbird. I know it
    > didn't apply to Pegasus which I used to use.
    >


    There is "some" validity to that. However, with Javascript disabled,
    remote images disabled and the view message body selected to plain text,
    there is no problem with opening ANY messages. Attachments can be a
    different story IF the user downloads AND executes the attached file.
    Simply opening a message containing an attachement is no cause for alarm
    as it requires further deliberate action of the user.

    I don't remember, but I think that Javascript is disabled by default in TB.

    --
    Jay Garcia Netscape/Mozilla Champion
    UFAQ - http://www.UFAQ.org

  8. Re: Preview Pane security



    clay wrote:
    > Roger Fink wrote:
    >> Larry Gusaas wrote:
    >>> On another list, a user who is using 'Thunderbird 1.5.0.12
    >>> (Windows/20070509)' wrote:
    >>>
    >>> ...I turn off the Preview Pane; the Preview Pane is highly
    >>> insecure anyway, so turning it off is always a good idea.
    >>>
    >>> I was not aware of any problems so I asked him for an explanation.
    >>> He replied:
    >>>
    >>> The Preview Pane *opens* the message. Opening a message can
    >>> trigger certain
    >>> forms of attack ...
    >>>
    >>> When I questioned this he gave this as a source:
    >>>
    >>> Thunderbird may well be safe in this regard but
    >>> http://www.cybertopcops.com/tips_tri...p#preview_pane
    >>> suggests otherwise.
    >>>
    >>> That site says:
    >>>
    >>> The very first thing to do when you are using an e-mail client
    >>> is to disable the Preview Pane (Message Pane for Thunderbird
    >>> users). Many users use the Preview Pane because it provides a
    >>> quick way of reading your mail without cluttering your desktop
    >>> with a bunch of windows. But you sacrifice security for luxury
    >>> when you use the Preview Pane.
    >>>
    >>> Is there any validity to this? It is my understanding that this
    >>> applies to M$ Lookout (I have never used it) but not to Thunderbird.
    >>> I know it didn't apply to Pegasus which I used to use.

    >>
    >> I asked this very same question here over a year ago. It was clear
    >> to me from the replies that nobody really knew and therefore, even
    >> with T-bird set to block remote images, I don't use it.
    >>
    >>

    >
    > Well, I really don't know... but I have been using Thunderbird,
    > Communicator, etc., for ~10 years.
    > With the preview pane open.
    > Has to be hundreds of thousands of emails (having the same email
    > address
    > for 10 years will get you spammed a lot!) and never had an infection
    > because of previewing email... Never had an infection at all, but
    > that's another story.
    > The new IT guy here allowed folks to use Outaluck (I never did when I
    > ran IT here) and since has had to fix/format/delouse, several
    > workstations. I'm not saying it was Internet Exploiter/Outaluck that
    > caused it but in the years I didn't allow either, we had a handful of
    > minor infarctions... none that propagated, and none that required more
    > than a little cleaning... usually just remove the file from quarantine
    > so the AV would stop hitting on it every day.
    > That's ~ 50 workstations for ~10 years.
    > So, I don't know nothing but I do know that if previewing email in TB
    > would get you infected, we'd have seen a lot more of it.
    > ymmv...


    I don't know nothing neither, but empirical evidence, while it may be good
    for drug studies, won't do it for me here. When you ask on this board if
    Thunderbird email benefits from on-access anti-virus scanning, the answer is
    no, but when you ask the same question in the Avast forum the answer is yes.
    So faced with that range of outcomes, and without intending to impugn
    anybody's judgment, I play it safe. The answer to these kinds of questions
    sometimes seems to depend on what part of the Computer Universe one
    inhabits.



  9. Re: Preview Pane security

    On 8/1/2007 6:36 PM, Thunderbird leader Jay Garcia by teletype announced:
    > On 01.08.2007 14:40, Larry Gusaas wrote:
    >
    > --- Original Message ---
    >
    >
    >> On another list, a user who is using 'Thunderbird 1.5.0.12
    >> (Windows/20070509)' wrote:
    >>
    >> ...I turn off the Preview Pane; the Preview Pane is highly insecure
    >> anyway, so turning it off is always a good idea.
    >>
    >> I was not aware of any problems so I asked him for an explanation. He
    >> replied:
    >>
    >> The Preview Pane *opens* the message. Opening a message can trigger
    >> certain
    >> forms of attack ...
    >>
    >> When I questioned this he gave this as a source:
    >>
    >> Thunderbird may well be safe in this regard but
    >> http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    >> otherwise.
    >>
    >> That site says:
    >>
    >> The very first thing to do when you are using an e-mail client is to
    >> disable the Preview Pane (Message Pane for Thunderbird users). Many
    >> users use the Preview Pane because it provides a quick way of
    >> reading your mail without cluttering your desktop with a bunch of
    >> windows. But you sacrifice security for luxury when you use the
    >> Preview Pane.
    >>
    >> Is there any validity to this? It is my understanding that this applies
    >> to M$ Lookout (I have never used it) but not to Thunderbird. I know it
    >> didn't apply to Pegasus which I used to use.
    >>
    >>

    >
    > There is "some" validity to that. However, with Javascript disabled,
    > remote images disabled and the view message body selected to plain text,
    > there is no problem with opening ANY messages. Attachments can be a
    > different story IF the user downloads AND executes the attached file.
    > Simply opening a message containing an attachement is no cause for alarm
    > as it requires further deliberate action of the user.
    >
    > I don't remember, but I think that Javascript is disabled by default in TB.
    >
    >


    Yes. Tb has an extremely tight security policy for javascript which
    blocks access to the spidermonkey script engine for over 80% of the
    functions of javascript. Thus Tb is far more secure, even with
    javascript enabled, than Fx. In the multimedia test groups we use a
    special security exceptions policy so the DHTML scripts can function.

    --
    Ron K.
    Don't be a fonted, it's just type casting


  10. Re: Preview Pane security

    Peter Potamus the Purple Hippo wrote:
    > Larry Gusaas wrote:
    >> On 8/1/07 1:57 PM, Peter Potamus the Purple Hippo wrote:
    >>> Larry Gusaas wrote:
    >>>> On another list, a user who is using 'Thunderbird 1.5.0.12
    >>>> (Windows/20070509)' wrote:
    >>>>
    >>>> ...I turn off the Preview Pane; the Preview Pane is highly insecure
    >>>> anyway, so turning it off is always a good idea.
    >>>>
    >>>> I was not aware of any problems so I asked him for an explanation. He
    >>>> replied:
    >>>>
    >>>> The Preview Pane *opens* the message. Opening a message can trigger
    >>>> certain
    >>>> forms of attack ...
    >>>>
    >>>> When I questioned this he gave this as a source:
    >>>>
    >>>> Thunderbird may well be safe in this regard but
    >>>> http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    >>>> otherwise.
    >>>>
    >>>> That site says:
    >>>>
    >>>> The very first thing to do when you are using an e-mail client is to
    >>>> disable the Preview Pane (Message Pane for Thunderbird users). Many
    >>>> users use the Preview Pane because it provides a quick way of
    >>>> reading your mail without cluttering your desktop with a bunch of
    >>>> windows. But you sacrifice security for luxury when you use the
    >>>> Preview Pane.
    >>>>
    >>>> Is there any validity to this? It is my understanding that this
    >>>> applies to M$ Lookout (I have never used it) but not to Thunderbird.
    >>>> I know it didn't apply to Pegasus which I used to use.
    >>>>
    >>> And what do you expect from the guy who's last name is "de Beer"
    >>>

    >> I don't understand how this relates to the question I asked. Please
    >> respond to my question without your meaningless OT gibberish.
    >>

    >
    > geeez, what a pain. Can't take a little humor? Guess not.
    > So, I'll beat you to the punch bowl:
    >
    > P L O N K !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



    Humor is all well and good - but it really should be mixed in with an
    ANSWER TO THE QUESTION (at least until someone has answered the question).



    --

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Chris Barnes AOL IM: CNBarnes
    chris@txbarnes.com Yahoo IM: chrisnbarnes

    You always have freedom of choice, but you never have freedom of
    consequence.

  11. Re: Preview Pane security

    Roger Fink wrote:
    > I don't know nothing neither, but empirical evidence, while it may be good
    > for drug studies, won't do it for me here. When you ask on this board if
    > Thunderbird email benefits from on-access anti-virus scanning, the answer is
    > no, but when you ask the same question in the Avast forum the answer is yes.
    > So faced with that range of outcomes, and without intending to impugn
    > anybody's judgment, I play it safe. The answer to these kinds of questions
    > sometimes seems to depend on what part of the Computer Universe one
    > inhabits.



    Indeed - the "computer universe" one inhabits is the key. Which makes
    it even more telling that people like clay (and myself) who have had the
    same email address for a (relative) very long time, AND participate in a
    large number of very public groups (email lists, Big8 Usenet groups,
    etc), AND use the preview pane have *never* gotten an infection/spyware
    from it.

    Like clay, the number of email messages I have recieved has to number in
    the 100's of thousands. And frankly, at least for me, the majority of
    those are NOT legitimate messages (ie. spam, often with attachments that
    contain virii).

    Come to think of it, the only email client I've legitimately seen have a
    problem with an infection via an email preview pane was from either
    Outlook or Outlook Express. And given that of the last 10 years, I have
    used a MS email client for the first 9 (only migrating to TB a year ago)
    - and still never got infected myself. Which leads me to think that
    those that were infected, became so not because they were using the
    preview pane, but because they had failed to apply security patches as
    they became available.

    side: applying security patches is important regardless of the
    specific application or OS. *ALL* of them have patches, and
    *ALL* of them should be applied.


    So from my empirical data point of 1 person, I can definitively say that
    I do NOT feel like the preview pane is a security threat.

    --

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Chris Barnes AOL IM: CNBarnes
    chris@txbarnes.com Yahoo IM: chrisnbarnes

    You always have freedom of choice, but you never have freedom of
    consequence.

  12. Re: Preview Pane security

    Larry Gusaas wrote:
    > I was not aware of any problems so I asked him for an explanation. He
    > replied:
    >
    > The Preview Pane *opens* the message. Opening a message can trigger
    > certain
    > forms of attack ...


    There are only three points in HTML that could be used for attack (and
    two more email-specific points).

    1. The OBJECT tag. Arguably the greatest source of incompatibility
    between browsers, any attack through this vector is likely to be pointed
    at Outlook and probably won't affect Thunderbird. It is reasonable to
    assume that Thunderbird disables OBJECT (and its cousins, EMBED and APPLET).

    2. Javascript. This has already been brought up numerous times, so I
    won't say any more than just keep it disabled.

    3. Frames. I would be willing to bet that Thunderbird disables framing
    in email messages, so this risk is probably mitigated. (Could someone
    more knowledgeable chime in here?)

    Email-specific:
    4. Remote images. Just keep this disabled and you'll be fine in this
    category.

    5. Return receipts. While they can't be used to attack your computer,
    they are tickets to getting lots of spam. Don't let Thunderbird
    automatically handle these for you and this risk is mitigated.

    If return receipts are set to ask me and HTML is turned off, there
    should be no risk except for protocol bugs. If the first 4 points are
    dealt with, then HTML should be safe.

  13. Re: Preview Pane security

    On 03.08.2007 09:38, Joshua Cranmer wrote:

    --- Original Message ---

    > Larry Gusaas wrote:
    >> I was not aware of any problems so I asked him for an explanation. He
    >> replied:
    >>
    >> The Preview Pane *opens* the message. Opening a message can trigger
    >> certain
    >> forms of attack ...

    >
    > There are only three points in HTML that could be used for attack (and
    > two more email-specific points).
    >
    > 1. The OBJECT tag. Arguably the greatest source of incompatibility
    > between browsers, any attack through this vector is likely to be pointed
    > at Outlook and probably won't affect Thunderbird. It is reasonable to
    > assume that Thunderbird disables OBJECT (and its cousins, EMBED and APPLET).
    >
    > 2. Javascript. This has already been brought up numerous times, so I
    > won't say any more than just keep it disabled.
    >
    > 3. Frames. I would be willing to bet that Thunderbird disables framing
    > in email messages, so this risk is probably mitigated. (Could someone
    > more knowledgeable chime in here?)
    >
    > Email-specific:
    > 4. Remote images. Just keep this disabled and you'll be fine in this
    > category.
    >
    > 5. Return receipts. While they can't be used to attack your computer,
    > they are tickets to getting lots of spam. Don't let Thunderbird
    > automatically handle these for you and this risk is mitigated.
    >
    > If return receipts are set to ask me and HTML is turned off, there
    > should be no risk except for protocol bugs. If the first 4 points are
    > dealt with, then HTML should be safe.


    Good stuff ....

    Wouldn't VIEW => Message Body as => "Plain Text" avoid most if not all
    of the above?

    --
    Jay Garcia Netscape/Mozilla Champion
    UFAQ - http://www.UFAQ.org

  14. Re: Preview Pane security

    On 8/3/2007 10:38 AM, Thunderbird leader Joshua Cranmer by teletype
    announced:
    > Larry Gusaas wrote:
    >
    >> I was not aware of any problems so I asked him for an explanation. He
    >> replied:
    >>
    >> The Preview Pane *opens* the message. Opening a message can trigger
    >> certain
    >> forms of attack ...
    >>

    >
    > There are only three points in HTML that could be used for attack (and
    > two more email-specific points).
    >
    > 1. The OBJECT tag. Arguably the greatest source of incompatibility
    > between browsers, any attack through this vector is likely to be pointed
    > at Outlook and probably won't affect Thunderbird. It is reasonable to
    > assume that Thunderbird disables OBJECT (and its cousins, EMBED and APPLET).
    >
    > 2. Javascript. This has already been brought up numerous times, so I
    > won't say any more than just keep it disabled.
    >
    > 3. Frames. I would be willing to bet that Thunderbird disables framing
    > in email messages, so this risk is probably mitigated. (Could someone
    > more knowledgeable chime in here?)
    >
    > Email-specific:
    > 4. Remote images. Just keep this disabled and you'll be fine in this
    > category.
    >
    > 5. Return receipts. While they can't be used to attack your computer,
    > they are tickets to getting lots of spam. Don't let Thunderbird
    > automatically handle these for you and this risk is mitigated.
    >
    > If return receipts are set to ask me and HTML is turned off, there
    > should be no risk except for protocol bugs. If the first 4 points are
    > dealt with, then HTML should be safe.
    >


    Tb as well as Fx do honor the Object and Embed tags. In Tb relese
    versions the back end code is turned off for platfor compatability
    reasions. Trunk builds can support use of plugins.

    --
    Ron K.
    Don't be a fonted, it's just type casting

  15. Re: Preview Pane security

    Chris Barnes wrote:
    > Peter Potamus the Purple Hippo wrote:
    >> Larry Gusaas wrote:
    >>> On 8/1/07 1:57 PM, Peter Potamus the Purple Hippo wrote:
    >>>> Larry Gusaas wrote:
    >>>>> On another list, a user who is using 'Thunderbird 1.5.0.12
    >>>>> (Windows/20070509)' wrote:
    >>>>>
    >>>>> ...I turn off the Preview Pane; the Preview Pane is highly
    >>>>> insecure
    >>>>> anyway, so turning it off is always a good idea.
    >>>>>
    >>>>> I was not aware of any problems so I asked him for an explanation.
    >>>>> He replied:
    >>>>>
    >>>>> The Preview Pane *opens* the message. Opening a message can
    >>>>> trigger
    >>>>> certain
    >>>>> forms of attack ...
    >>>>>
    >>>>> When I questioned this he gave this as a source:
    >>>>>
    >>>>> Thunderbird may well be safe in this regard but
    >>>>> http://www.cybertopcops.com/tips_tri...p#preview_pane suggests
    >>>>> otherwise.
    >>>>>
    >>>>> That site says:
    >>>>>
    >>>>> The very first thing to do when you are using an e-mail client
    >>>>> is to
    >>>>> disable the Preview Pane (Message Pane for Thunderbird users).
    >>>>> Many
    >>>>> users use the Preview Pane because it provides a quick way of
    >>>>> reading your mail without cluttering your desktop with a bunch of
    >>>>> windows. But you sacrifice security for luxury when you use the
    >>>>> Preview Pane.
    >>>>>
    >>>>> Is there any validity to this? It is my understanding that this
    >>>>> applies to M$ Lookout (I have never used it) but not to
    >>>>> Thunderbird. I know it didn't apply to Pegasus which I used to use.
    >>>>>
    >>>> And what do you expect from the guy who's last name is "de Beer"
    >>>>
    >>> I don't understand how this relates to the question I asked. Please
    >>> respond to my question without your meaningless OT gibberish.
    >>>

    >>
    >> geeez, what a pain. Can't take a little humor? Guess not. So, I'll
    >> beat you to the punch bowl:
    >>
    >> P L O N K !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    >
    >
    > Humor is all well and good - but it really should be mixed in with an
    > ANSWER TO THE QUESTION (at least until someone has answered the question).
    >
    >
    >

    In Outlook & Outlook Express viewing a message in the preview pane is
    the same as opening the message. Text mode is 7 bit code making it very
    safe from the ner-do-wells. This is the main reason to view the message
    From, To, Subject, Size, etc. before opening, or previewing, the
    message. So far the bad guys have concentrated on attachments but it is
    only a matter of time before they become more creative. You should also
    not rely heavily on AV software as it will fail you if you are among the
    first to receive a loaded message. Rely instead on good safe practices
    and if you do not recognize the sender, URL, etc. or if you were not
    expecting a message from a friend or family member don't open it until
    you have confirmed with the sender that it is legitimate. If their
    machine became compromised it just might be the virus that is using
    their email list to reach you. As for TB I don't know the code so I
    don't know if preview is the same as opening but hopefully someone who
    does know the code will weigh in at this point.

    James

+ Reply to Thread