Can spyware install when you click an email?

[Orange Marmelade]

Hey guys.

I got 5 e-mails within minutes in my inbox from a company named TechTarget.com USA. The subject discussed within these emails were not of interest to me. Yet I got these emails all of a sudden. This got me thinking about an old question I have.
Can spyware get installed or code executed, just by the user clicking on an email and reading the text contents, without opening any attachments, or following any link within this email?

Internet is quite divided. Some say an email cannot unless you open attachments. Others say it is definitely possible.

So what's the definite answer?

 

[Deleted member 245375]

Generally speaking unless your email client itself (meaning if you use a locally installed email client program like Outlook, Thunderbird, etc and not just use a browser based solution like Gmail, Yahoo, Outlook.com, etc) is pretty secure there is always the possibility that some rogue code created for a nefarious purpose can go to work on said client without the end user's absolute knowledge of it happening. Given that case, I guess I should say it's entirely possible for a browser based solution as well if someone knew the overall code that well but that's like a one-shot in infinity situation that someone could know that much all at the same time and be able to construct some code to take advantage of every possible exploitable aspect of the code being run as the application itself.

Anytime I find people that are absolutely certain that something is or can be totally completely secure I just laugh and respond "Yeah, and bumblebees cannot fly, it's a proven fact with research done by N.A.S.A. but they fucking do it anyway, probably just to spite the engineers..." or something similar.

I haven't used any locally installed email clients in oh, 13+ years now since I created my Gmail account around the time that went live, I have other web based email accounts with the big names also. It's more convenient to me to do things that way but not everyone has that option (say in a work environment where you're required to use the tools the employer provides) and so that's my email "type" of choice. I don't believe that security exists anymore with respect to computers and technology - if there's information out there someone has or can or will create a method for extracting it, and that includes creating tools to be left around aka the spyware or tools to just create problems aka the malware.

tl;dr Most anything is possible given the talent to create the exploit and the fact that software is exploitable as well.

 

[hedron]

Tiverton, you're saying browser based email is more secure?

 

[bigdogchris]

If the emails are in your Inbox and you display rich text or HTML it could be possible for an email to automatically load malware through an advertisement. No different than a web browser. This is why email in your Junk/Spam folders do not load images.

 

[Nenu]

Yep.
If you allow HTML/rich text or open strange attachments, welcome to someone elses internet.
My emails look bland, no inline images, no links load anything, no content loads from any website or other servers, not even when replying.
I dont allow scripting except for essentials on web based email. All blocked except those needed for email to function.
Helps keep my system in good shape.

 

[Verge]

Hey guys.

I got 5 e-mails within minutes in my inbox from a company named TechTarget.com USA. The subject discussed within these emails were not of interest to me. Yet I got these emails all of a sudden. This got me thinking about an old question I have.
Can spyware get installed or code executed, just by the user clicking on an email and reading the text contents, without opening any attachments, or following any link within this email?

Internet is quite divided. Some say an email cannot unless you open attachments. Others say it is definitely possible.

So what's the definite answer?

It certainly can, assuming they are targeting a vulnerability in your mail client. Pretty rare, but it can happen.

 

[JHefile]

Just don't open the attachment. We get them at work sometimes and are warned to just delete them. I opened one by accident one time and my work antivirus caught it right away.

 

[rezerekted]

I use web only for email and I have noscript installed in Firefox so on my PC, no, it can't, because the scipt can't run until I enable it in noscript.

 

[st4rk]

I only read my email on throwaway vms, and only with cmd and powershell mapi connections. You can never be too safe!

 

[cass1]

Yes, it can!