Analysis: Is HTML e-mail dangerous for your PC, or just your eyeballs?

Twitter protest quiets down, but questions remain

Last week's online protest against Microsoft Outlook is turning out to be a tempest-in-a-Tweet.

As of today, almost 24,000 Twitter users had tweeted their support for the protest, which aims to get Microsoft Corp. to improve Outlook's engine for displaying rich Web content, Microsoft Word.

Twenty-four thousand tweets is impressive. But it pales in comparison to the hundreds of millions of corporate workers using Outlook today (304 million by the end of 2011, estimates one researcher, the Radicati Group).

With Microsoft unequivocally rejecting the protests, the movement is losing steam. After garnering 20,000 tweets in its first 24 hours, it has averaged about a 1,000 per day since then.

One of the software maker's defenses for why it is satisfied with Word's HTML rendering is that it is safer for users than a full-fledged browser such as Internet Explorer, which it used for many years until Outlook 2007.

"Word cannot run Web script or other active content that may threaten the security and safety of our customers," said Microsoft executive William Kennedy.

That raises several questions. Is HTML e-mail still dangerous today, or is Microsoft using security as an excuse not to comply with Web standards?

Dave Greiner, head of an Australian e-mail marketing software vendor and organizer of the protest, said it's the latter.

"I have never gotten porn spam or a virus getting HTML e-mail," Greiner commented on his blog last week. "It makes me wonder what you are looking at on the internet to be so concerned ;)"

But despite significant advances in e-mail security software and desktop antivirus applications, users still face plenty of malevolent stuff lurking amidst the HTML-created images, videos, fancy layouts and hyperlinks, say security and privacy experts interviewed by Computerworld.

"There is an inherent risk in HTML e-mail, and there always will be," said Tal Golon, president and CTO of antispam vendor Sendio Inc.

Others say HTML e-mail's bigger threat is to users' tastes (more on this later).

HTML e-mail started becoming popular earlier this decade, when it was embraced by marketers, who envisioned more effective ads, and by some users, who enjoyed their convenience and look-and-feel.

But spammers and other over-aggressive marketers also saw HTML e-mail as their chance to deploy technologies such as "Web bugs" -- tiny GIF images that, when invisibly downloaded by viewing users, allow marketers to track their activity or simply confirm the validity of the e-mail address (for spam purposes).

Web bugs can even be used for more hard-core spying. Hewlett-Packard Co. admitted several years ago to using Web bugs to spy on reporters during an internal investigation of news media leaks by board members.

Web bugs, nowadays known as Web beacons, remain an underrated privacy threat.

"Most people still don't have a clue that Web bugs exist," said Corey Ciochetti, an assistant professor of business at the University of Denver.

As a result, many companies don't block Web bugs, even if they have gateway security software that can do so, said Bradley Anstis, director of technical strategy at security vendor Marshal8e6.

Worse than Web bugs are phishing e-mails. Phishing remains hard for e-mail security software to stop because no payload is attached that can be cleaned, Golan said. Rather, users are tricked into clicking on an authentic-looking Web site.

And in the cases of both phishing and Web bugs, home users are unlikely to enjoy the protection of a corporate e-mail security gateway. Web-hosted e-mail services such as Yahoo Mail or Gmail help protect against these, but are themselves vulnerable to JavaScript or SQL injection attacks, he said.

Word's issues

So do Word's shortcomings make Outlook safer from HTML e-mail?

Anstis thinks so. "Categorically, the most dangerous app on your PC is your Web browser," he said. "The problem with Web browsers is that they execute all the code on the page. Word is not going to do that."

But Golan said this is a short-sighted view. Open-source browsers such as Firefox, the WebKit-based Google Chrome and Apple Inc.'s Safari can be fixed more quickly by third-party vendors because of the openness of their code.

"Nobody gets to see how Word works," Golan said.

Moreover, the relative imperviousness of the Word-based Outlook 2007 may be a temporary thing, based on its small usage (most users are still using IE-based versions such as Outlook 2003), Golan said.

As the Word-dependent Outlook 2007 and the in-development Outlook 2010 become more popular, attacks targeting Microsoft Word macros, such as 1999's Melissa virus, are likely to re-emerge, Golan said.

Some say get rid of HTML e-mail

For a small-but-vocal-subset of users, the solution is simple: Dump HTML e-mail altogether.

"Sorry, but HTML has no place in mail," wrote mmu_man, in comments on the Email Standards Project blog. "Instead of spending time choosing fonts, why not proofread?"

Agreed another commentator, Kevin: "Send text and put your pretty little spammy messages on websites."

But Greiner asks: Why not fix Outlook's rendering engine, so that users have the choice of reading e-mails in plain text or seeing the true HTML version?

"Hey text people! Millions of people love HTML email, and opt-in to get HTML marketing messages," he wrote. "People like pictures! Just because you don't like it doesn't mean it's evil."

But if 100% security is the goal, Golan argued that HTML e-mail remains too dangerous, and users too untrustworthy.

"Who doesn't sometimes click on the button to see the images in their e-mail?" he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags emailmicrosoft outlookMicrosofttwitterhtml

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Eric Lai

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?