Foundations: What's Risky about Email Attachments?
by John Labovitz, Security Consultant
It's a typical busy day at the office. Reading your email between crises, you quickly delete that spam message that arrived with a snappy graphic, you file away the Word-formatted resume, and you save for later an MP3 tune from your brother.
In those few moments, a quickly propagating email virus could infect and destabilize your computer, or even erase your hard drive.
All of those attacks could be carried in attachments -- files or data that are added after the main body of email messages.
Why can attachments be dangerous?
It helps to understand how attachments work. Some of the programs running on your networked desktop computer rely on another computer to perform some operations. This is called a client-server architecture. An application like Outlook is actually an email client that receives the mail from an email server. Today's email clients promote productivity -- but not security. They are designed to be flexible and transparent to the user; they make few decisions about the safety of an attachment.
When the sender's email client adds the attachment data to an outgoing message, it marks the attachment with two items: the type of data (also known as the content type or MIME type), and the original filename of that data. The receiver's email client uses the type and filename to determine how to interpret the data -- a graphic is displayed along with the message text; an audio file is played; a Word document is shown as a link that can be clicked on.
Unfortunately, email clients rarely make any distinction between attachment types. Although clients may interpret some attachments directly, and pass others off to "helper" programs, they leave the safety decision entirely to the user.
Often, you don't get to make that decision. When showing a summary of messages in a mailbox, many email clients do not indicate whether a message contains attachments. If you open the message, the client will interpret the attachments immediately, or show links to open the attachments.
What kinds of attachments are dangerous?
First up is the executable program. Like a program you'd run yourself (Word, for example), an executable attachment is interpreted directly by the computer. Running executables is extremely risky, leaving you vulnerable to the whims of an attacker: an executable may install a virus, covertly transfer your data to a remote host computer, or even destroy your data entirely.
However, an executable program must be written for a specific type of computer and operating system (for example, Windows running on an Intel processor). If you are using a different environment (say, Linux or Macintosh) you may be immune to that particular type of attachment -- but vulnerable to another type.
Documents that contain "static" information like text and graphics may also contain scripts. Microsoft Word and Excel can embed scripts inside ordinary word processing or spreadsheet documents. Although this "macro" capability can be powerful if used well, using this technology opens the risk of having those programs interpret scripts you didn't expect. Most programs of this type now do a better job at warning the user of potential danger -- but be sure to pay attention to the warnings! (Ironically, some scripts have the capability of turning off the warning messages entirely.)
Attachments with no executable or scripted content must still be interpreted by the email client itself. A graphic or audio attachment may be corrupted or intentionally manipulated to crash your email client.
Attachments that seem safe may be disguised by clever names -- an executable program may look a lot like an MP3 file if the name is Madonna.MP3.exe.
How can you protect yourself?
Be conscious of what you're doing. If a message is from someone you don't know, be suspicious of any attachments. Even if it is from an acquaintance, it may be an email virus that the sender unknowingly received, or the sender may be unaware that the attachment is dangerous. If your client displays a link to an attachment, always save it to a file first -- never open it directly. Then, before opening it, carefully inspect the file (in Windows, find the file on your desktop, then right-click it and choose "Properties"; on the Macintosh, select the file, pull down the "File" menu in the Finder and select "Get Info"). Scan the file for viruses if you can. After opening the file, check your system for viruses just to be sure you're still safe. (Of course, keep up to date on your virus-checking programs!)
Keep up to date on your software, including the operating system, email clients, and related utilities. The industry has been good about responding to attacks, speedily modifying programs to make them more secure. What most hackers take advantage of is any site running old software with known security holes, where the administrator has failed to apply recent patches or upgrades that plug those holes.
If you are using a firewall, you may be able to configure it to block or reroute certain types of attachments. The WatchGuard Firebox can be told to block any attachment that does not match a "safe list" of certain types, and to block attachment filenames that match certain patterns (the procedure is described in the Firebox User Guide). The combination of these allow the safer attachments (text, images, audio), while removing executables and scripts.
You can help to ensure that the mail you send is also safe. Communicate with your recipients to learn what attachments they prefer (they may not want them at all!). You may be able to store the file on a public filesharing Web service like Yahoo Briefcase. Or if the file is a simple word-processing document, copy and paste the text into the main body of the email instead of attaching it.
If you do send an attachment, make sure the file to be attached is clean. Check it for viruses; if appropriate, remove any macro scripts. Send safer, open formats like text or RTF instead of proprietary, binary formats. Avoid sending executable files.
There is no method guaranteed to avoid dangerous attachments. But by being aware of what you receive, treating attachments as suspicious data, and keeping up to date on exploits and related fixes, you'll protect yourself better, prevent spreading viruses, and make email a safer tool.
AVERT Virus Alerts
Copyright© 2001, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.