Fixing Windows 98 insecurities

2 - Protecting yourself against email worms

The following is based solely on my own experience with Windows 98. Similar actions are possible in other versions of Windows but the exact process may vary slightly. Use the links in the navigation bar for more detailed help and for other versions of Windows.

Outlook Express

The single largest problem with email security lies in the use of HTML format messages. Protecting yourself from infected HTML format emails is not as easy as protecting others. One option relates to the Security settings within Outlook Express, another relates to the behaviour of Windows itself when infected HTML format emails are opened. Both options can be combined if necessary for extra peace of mind.

In Outlook Express, go to the Options dialog and select Security. (Tools on the main menu, click Options.) Click on the drop down list marked Zone:

Tools menu

Select restricted sites zone and click on Settings. Select Custom and click on Settings.

menu

In the dialog box scroll down to Active Scripting and click on Disable.

Options dialog

Click OK to activate the custom settings, the zone settings, the security tab settings and the Options dialog in turn.

You will now get a security warning within Outlook Express if you receive an HTML format email that contains Javascript or VBScript, warning you that the "page" may not display as intended. The scripting code will not execute - before or after you respond to the alert. If you want to execute the code, save the email as a normal HTML page and load it into your browser once you are satisfied that the code is safe. This protects you from any hidden code that may lie in the HTML code. These changes are enough to stop someone infecting you with code to track an email as it is forwarded through a group of friends or employees through a technique now known as email wiretapping which cannot work without hidden HTML code. It is also sufficient to prevent all emails which are infected with worms like ILOVEYOU and KAK from infecting you in the first place rather than just stopping the spread to people listed in your Windows Address Book.

HTML format email that doesn't contain any scripting will not be affected and those HTML format emails which do contain script will still display as much of the HTML as possible without executing the scripts. Both HTML format and plain text emails can contain other attachments and insecure or dangerous code can be hidden within these attachments.

Handling active attachments safely

Internet email worms may appear in your Inbox as plain text email but with an attachment. (e.g. the Anna Kournikova worm). These attachments pretend to be images or Word documents or other interesting formats - anything except the real filetype, VBS script. They often utilise the habit of Windows hiding certain "active" filetypes by hiding the file extension. The attachment uses a false file extension which fools some users into thinking it is safe to open the attachment. e.g. sexyimageofcelebrity.jpg.vbs will show in the attachment menu as sexyimageofcelebrity.jpg - only when the "image" is opened will the user realise that it is not an image at all but active scipt. The changes above to the Restricted Sites zone will protect you if you open the attachment within Outlook Express, but not if you save the attachment as a file.

You can force Windows to always show certain file extensions like .vbs using the Folder Options dialogs. In Windows98, this is available via the View menu in any My Computer window or from the Start Menu. Select the File Types tab and scroll down to find file types using the .vbs, .wsh, .sct, and .wsc extensions. In each case, edit the file type and choose "Always show extension". You may be tempted to simply delete the file type completely but a better option is probably to make the default action Notepad. This way, scripts cannot execute without your knowledge but you still retain the capability to run useful scripts. In WindowsME, deleted file types may be automatically restored but amended default actions are not restored.

These changes will also help you detect unsafe attachments within Outlook Express as the real extension will be shown. One final comment though, the safest method is to install a third party "firewall" program which will intercept not only unsafe attachments but also port scans, trojan attacks and spyware programs. I now use GNU/Linux exclusively but if you still want to use Windows, use Zone Alarm - available free of charge for those Windows users who do not need to share their internet connection across a local network.