Re: is Apple Mail unsafe?
On 02 Aug 2016, at 23:00, Macs R We wrote: > Android took months fumbling to find a fix that worked. And at least 200,000,000 Android devices *IN USE* will never be patched because they cannot be. So those are still vulnerable to Stagefright and will be until they stop being used. ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
> On Aug 2, 2016, at 12:26 PM, Arno Hautala wrote: > > Not so much... Malware can indeed be contained in an image. > > http://9to5mac.com/2016/07/22/stagefright-mac-iphone-ipad/ Agreed, in part. Stagefright was real malware that delivered real malicious code, but not to Apple devices. The Apple "proof of concept" hack they compared it with proved only that it was possible for a malformed TIFF to trash the heap. I guess you could call this malware in itself, but of a very low order (no one showed it could reveal data or deliver malicious code). The claim that this hack could "ultimately achieve remote code execution" is a bit too underpants-gnomish for me: 1) Discover IP address of NSA computer 2) ? 3) Total World Domination! The only thing the two hacks have in common is that the triggering mechanism was a malformed non-executable (data) file. Apple fixed its minor risk immediately, Android took months fumbling to find a fix that worked. ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
There's always the "Load Remote Content" button in the upper right corner of each message should you really want to see everything... -Carl > On Aug 2, 2016, at 11:36 AM, Dinse, Gregg (NIH/NIEHS) [C] > wrote: > > On Aug 2, 2016, at 2:29 PM, Macs R We wrote: >> >>> On Aug 2, 2016, at 10:41 AM, Dinse, Gregg (NIH/NIEHS) [C] >>> wrote: >> >>> I just checked my Apple Mail preferences. Under the Viewing tab, I see >>> that I have the box checked for "Load remote content in message". Is >>> sounds like I should uncheck that box, right? If I do uncheck it, will I >>> see a bunch of generic icons for any content, and will I then have an >>> option to view the content if I believe it's from a trusted source? >> >> Yes, precisely. >> >> I ran that way for some months, then decided it was too much of a pain in >> the butt to continue, security or no security, But try it out for yourself. >> >> All you do with that setting is avoid triggering "web bugs." They can't >> load malware, or do anything other than tell the mail sender that your email >> address is live. Since most of my email addresses are business addresses >> that are publicly advertised on websites to begin with, I couldn't see the >> upside. > > Thanks. I might try it for a while and see how painful it is. > > The way you describe it, having the "load remote content" box checked does > not sound so bad -- if all it does is notify the mail sender that my email > address is live. But does it also load images? I thought that malware, or > at least undesirable things of some sort, could be embedded in images. Is > that not true? > > I guess I am really showing my ignorance here. > > Gregg > > ___ > MacOSX-talk mailing list > MacOSX-talk@omnigroup.com > http://www.omnigroup.com/mailman/listinfo/macosx-talk ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
On Tue, Aug 2, 2016 at 2:36 PM, Dinse, Gregg (NIH/NIEHS) [C] wrote: > But does it also load images? I thought that malware, or at least > undesirable things of some sort, could be embedded in images. Is that not > true? > > I guess I am really showing my ignorance here. Not so much... Malware can indeed be contained in an image. http://9to5mac.com/2016/07/22/stagefright-mac-iphone-ipad/ To be truly secure you must communicate directly with the bits. I try to plug the fiber directly in to my eyes. -- arno s hautala/-| a...@alum.wpi.edu pgp b2c9d448 ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
On Aug 2, 2016, at 2:29 PM, Macs R We wrote: > >> On Aug 2, 2016, at 10:41 AM, Dinse, Gregg (NIH/NIEHS) [C] >> wrote: > >> I just checked my Apple Mail preferences. Under the Viewing tab, I see that >> I have the box checked for "Load remote content in message". Is sounds like >> I should uncheck that box, right? If I do uncheck it, will I see a bunch of >> generic icons for any content, and will I then have an option to view the >> content if I believe it's from a trusted source? > > Yes, precisely. > > I ran that way for some months, then decided it was too much of a pain in the > butt to continue, security or no security, But try it out for yourself. > > All you do with that setting is avoid triggering "web bugs." They can't load > malware, or do anything other than tell the mail sender that your email > address is live. Since most of my email addresses are business addresses > that are publicly advertised on websites to begin with, I couldn't see the > upside. Thanks. I might try it for a while and see how painful it is. The way you describe it, having the "load remote content" box checked does not sound so bad -- if all it does is notify the mail sender that my email address is live. But does it also load images? I thought that malware, or at least undesirable things of some sort, could be embedded in images. Is that not true? I guess I am really showing my ignorance here. Gregg ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
> On Aug 2, 2016, at 10:41 AM, Dinse, Gregg (NIH/NIEHS) [C] > wrote: > I just checked my Apple Mail preferences. Under the Viewing tab, I see that > I have the box checked for "Load remote content in message". Is sounds like > I should uncheck that box, right? If I do uncheck it, will I see a bunch of > generic icons for any content, and will I then have an option to view the > content if I believe it's from a trusted source? Yes, precisely. I ran that way for some months, then decided it was too much of a pain in the butt to continue, security or no security, But try it out for yourself. All you do with that setting is avoid triggering "web bugs." They can't load malware, or do anything other than tell the mail sender that your email address is live. Since most of my email addresses are business addresses that are publicly advertised on websites to begin with, I couldn't see the upside. ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
On Aug 2, 2016, at 12:54 PM, @lbutlr wrote: > > On Aug 2, 2016, at 08:17, Dinse, Gregg (NIH/NIEHS) [C] > wrote: >> He seemed to say that Apple Mail tries to pre-load emails (or things/links >> in emails), which is similar to the user clicking on a link. > > This is not true. If you allow images to be loaded, that content will be > fetched, of course. That's the case in any mail client. But that should not > be confused with clicking links. > > That said, it is better to not have mail load images automatically anyway. I may have misunderstood what the sysadmin said. I just checked my Apple Mail preferences. Under the Viewing tab, I see that I have the box checked for "Load remote content in message". Is sounds like I should uncheck that box, right? If I do uncheck it, will I see a bunch of generic icons for any content, and will I then have an option to view the content if I believe it's from a trusted source? Thanks, Gregg ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
Re: is Apple Mail unsafe?
On Aug 2, 2016, at 08:17, Dinse, Gregg (NIH/NIEHS) [C] wrote: > He seemed to say that Apple Mail tries to pre-load emails (or things/links in > emails), which is similar to the user clicking on a link. This is not true. If you allow images to be loaded, that content will be fetched, of course. That's the case in any mail client. But that should not be confused with clicking links. That said, it is better to not have mail load images automatically anyway. -- This is my signature. There are many like it, but this one is mine. ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
is Apple Mail unsafe?
Hi, I have always used Apple Mail, both at home and at work. Yesterday I got a message from a sysadmin at work saying that I had clicked on a link in a phishing email. I contacted him to say that I had not clicked on anything in that email. He seemed to say that Apple Mail tries to pre-load emails (or things/links in emails), which is similar to the user clicking on a link. I may not have the details quite right, but that is the essence of what I believe he was saying. They use Microsoft Exchange servers at work, so this may be in the context of using Apple Mail with an Exchange server. In this case, he said that the malicious link/web site had already been blocked, so this did not create a problem. However, it left me wondering if this is a shortcoming with Apple Mail that I should be concerned about. I also use Apple Mail at home, and at home I do not have a team of sysadmins who might block these phishing emails (though perhaps my ISP does, but I doubt it). Can anyone shed additional light on this? Thanks, Gregg ___ MacOSX-talk mailing list MacOSX-talk@omnigroup.com http://www.omnigroup.com/mailman/listinfo/macosx-talk
