Advice Request How exploitable are email clients?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I am not asking about the standard risk of downloading a malware file and running it, which will most likely be stopped by all default/deny security setups, and hopefully by the AV as well.
I am asking about the sneaky, fileless exploits.
How vulnerable are email clients to this?
 
  • Like
Reactions: aragornnnn, LASER_oneXM, DardiM and 4 others
W

Wave

Just noticed this thread and of course since it was relating to exploits I had to click on it and reply no matter what the question is... So here I am, the ghost of MT has returned from out of his rock to reply to you! :D

I'm afraid that there is no definitive answer to this question... Every email client may work differently and implement the features differetly, there is no way to class them all as one with a specific level of how vulnerable they are. In fact, you cannot just take one of the e-mail clients and say: this product is exploitable on a level of likely to be exploited.

Let me ask you a question to help yourself make an estimation guess on how secure they are: how often do you see attachments escape the e-mail (without further user-interaction) and infect the system due to exploitation of the e-mail client?

Chances are you've never seen that actually happen to yourself, since it'd be extremely rare and tricky to actually carry out successfully. Normally the e-mail clients don't touch the attachments properly in a way to be executed - they are either stored on the cloud server and downloaded after user-interaction to the host system or they are auto-downloaded to the host system but not executed until you manually run the attachment...
 
  • Like
Reactions: aragornnnn, Winter Soldier, LASER_oneXM and 7 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Wave said:
Just noticed this thread and of course since it was relating to exploits I had to click on it and reply no matter what the question is... So here I am, the ghost of MT has returned from out of his rock to reply to you! :D

I'm afraid that there is no definitive answer to this question... Every email client may work differently and implement the features differetly, there is no way to class them all as one with a specific level of how vulnerable they are. In fact, you cannot just take one of the e-mail clients and say: this product is exploitable on a level of likely to be exploited.

Let me ask you a question to help yourself make an estimation guess on how secure they are: how often do you see attachments escape the e-mail (without further user-interaction) and infect the system due to exploitation of the e-mail client?

Chances are you've never seen that actually happen to yourself, since it'd be extremely rare and tricky to actually carry out successfully. Normally the e-mail clients don't touch the attachments properly in a way to be executed - they are either stored on the cloud server and downloaded after user-interaction to the host system or they are auto-downloaded to the host system but not executed until you manually run the attachment...
Click to expand...
what do you say about Outlook?
 
  • Like
Reactions: aragornnnn, LASER_oneXM, SHvFl and 2 others
W

Wave

shmu26 said:
what do you say about Outlook?
Click to expand...
I would say it's decent and good enough. As long as you aren't click-happy and you only focus on e-mails from trusted senders/expected emails, you'll be fine. Don't aimlessly open up e-mails from unknown/untrusted senders or open attachments without proper check-ups.

Also, if you are running security on your system already (e.g. An AV with BB/HIPS + HitmanPro.Alert/Malwarebytes Anti-Exploit) you'll be better off anyway. ;)
 
  • Like
Reactions: aragornnnn, Winter Soldier, LASER_oneXM and 5 others
W

Wave

shmu26 said:
I use mailbird, but I only run it once in a while, to backup my gmail account. Otherwise, I use the gmail webclient.
Click to expand...
The web-client in theory should be much safer than the desktop e-mail clients. It really depends on the situation... E.g. e-mail web client - potential JavaScript code execution exploit... Whereas with an e-mail desktop client, this may not happen depending on how the attack is carried out.

It depends on numerous factors, you can't single all the services into one and give an estimation on how vulnerable they are without actually exploring the services individually and manually for analysis. :)

However Google take security very seriously and they don't mess around... If possible I would stick to Google Mail (gmail).
 
  • Like
Reactions: LASER_oneXM, aragornnnn, Winter Soldier and 5 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,347
Assuming you use Outlook change it to display the email as plain text. I am pretty sure you will not get something to exploit it and if you do sell the malware for lots of money and burn your pc after that.
 
  • Like
Reactions: soccer97, LASER_oneXM, Wingman and 5 others
W

Wave

Spawn said:
Keep the software updated with the latest versions and always use supported software.
Click to expand...
IMO this is some of the best advice when it comes to exploit protection because if you keep your software updated and get rid of any software you no longer use (which isn't updated/supported anymore) then you'll be protected from all the vulnerabilities which the developer/company fixes via the security patches. :)
 
  • Like
Reactions: soccer97, LASER_oneXM, aragornnnn and 2 others
whizkidraj

whizkidraj

Level 8
Verified
Nov 9, 2012
363
Can someone post the names of email clients like mailbird pro, emclient and others that you know of and which one do u think is best. And before all of this, are email client softwares like this really necessary. I see other names also like the bat professional and many other. Should I use them coz I have never used them and want to know what they really do related to user hands-on experience, security and other things that we would experience and want to know.
 
  • Like
Reactions: LASER_oneXM and aragornnnn
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
I think a logical assumption is applicable.

Every software is exploitable.
Email clients are software
So they are exploitable.

Certainly the client must be object of a targeted attack, perhaps quite rare if you keep it up to date.
 
  • Like
Reactions: LASER_oneXM, aragornnnn and Wave
whizkidraj

whizkidraj

Level 8
Verified
Nov 9, 2012
363
Winter Soldier said:
I think a logical assumption is applicable.

Every software is exploitable.
Email clients are software
So they are exploitable.

Certainly the client must be object of a targeted attack, perhaps quite rare if you keep it up to date.
Click to expand...
I know this. I just want to know if there are some real good advantages. Like how people say to some guy who knows nothing and then they say have you been living under a rock.
So I have never tried them coz I don't think they are necessary, but I'm here to listen to valid points to why I should try them or just keep going as it is.
If someone likes using them and can bring some good points to why I should use them and if they will help.
 
  • Like
Reactions: LASER_oneXM and aragornnnn
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
whizkidraj said:
I know this. I just want to know if there are some real good advantages. Like how people say to some guy who knows nothing and then they say have you been living under a rock.
So I have never tried them coz I don't think they are necessary, but I'm here to listen to valid points to why I should try them or just keep going as it is.
If someone likes using them and can bring some good points to why I should use them and if they will help.
Click to expand...
My post was not referring to your comment, only a general consideration :)
Honestly I don't use mail clients, but I read/write mail directly via browser.
 
  • Like
Reactions: LASER_oneXM, aragornnnn and whizkidraj
whizkidraj

whizkidraj

Level 8
Verified
Nov 9, 2012
363
I know but please don't bring free softwares into the equation coz then someone can come and say, screw Windows, Use Linux :D
Like that type of seriousness then doesn't come :p
Like if some wants to decide which is best antivirus and someone comes along and say, screw Kaspersky or all paid antiviruses. Use Avast. Use 360 antivirus and such. Kaspersky has a free antivirus try that.
So let's just keep it to email clients and not free vs paid :p
 
  • Like
Reactions: LASER_oneXM
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
whizkidraj said:
Can someone post the names of email clients like mailbird pro, emclient and others that you know of and which one do u think is best. And before all of this, are email client softwares like this really necessary. I see other names also like the bat professional and many other. Should I use them coz I have never used them and want to know what they really do related to user hands-on experience, security and other things that we would experience and want to know.
Click to expand...
if you are using a webmail client, such as gmail, and you are happy with it, then there is no real reason to switch to a desktop client.

People use them mainly because of their extended features, such as handling multiple mail accounts, and the zillion other business-oriented features you can see in clients such as Outlook.

But a home user who is happy with gmail has nothing much to gain from a desktop client -- with the exception of an offline backup.

The offline backup idea can be good if your internet connection is spotty, but you want to have your emails accessible even when you are offline.

It also provides a certain kind of protection against losing all your online email data, if you want to be paranoid about that kind of thing. Like, if you get locked out of your gmail account for some reason, you didn't lose your stash of data, addresses, etc.
 
  • Like
Reactions: whizkidraj
Status
Not open for further replies.

Similar threads

F
    • Like
    • Applause
    • +Reputation
Using NoScript for fun, just to see how ridiculous effective the Brave shields are (for add blocking and limiting third-party exposure)
Replies
43
Views
2,807
Brave
wat0114
wat0114
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Help Bitwarden test the new Manifest v3 Chrome extension
Replies
4
Views
415
Passwords and passkeys
Gandalf_The_Grey
Gandalf_The_Grey
Victor M
    • Like
    • Applause
    • +Reputation
  • Suggestion
Setup Idea Harden Windows 11 Home for Security
Replies
4
Views
645
PC Setup Ideas
Ink
I

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top