Reader J from Pittsburgh asks:
“Some time ago, I set up Outlook to not show images in incoming emails, as a security measure. But it’s a pain in the butt, since in so many emails most of the content is in the images — and so often the sender doesn’t include a link to see the same info on a web page. So the question is: am I helping my security enough to justify the inconvenience? Hoping for enlightenment… Thanks, J”
Images in email can be a threat, but this risk is quite small for most normal users in most normal circumstances.
It wasn’t always so. Image encoding formats can and have been compromised; and over the years, a series of hacks and cracks for popular image formats (e.g. jpg) have emerged. There was a rash of image-security concerns around 2004-2005; another about five years later; and another around 2014-2015.
There also were problems with email clients that would generate automatic preview/thumbnails of attached/embedded images: The email client software might open and process a maliciously-encoded image before you — the recipient — had any say in the matter.
And there was a third set of issues where an email-sender could use the opening of an image (even if otherwise harmless) as a way of determining that the email was processed at your IP address.
Each round of security issues — and especially the early ones — led to recommendations for blocking all images in email as a “best practice” for maximum online security. If the images aren’t let in, they can’t do any harm.
That still holds: Blocking images embedded in or attached to email will eliminate virtually all risk from such items. That still is the very safest way of handling email.
But, as you say, it’s an inconvenient pain in the butt. Plus, each round of past security issues led to the known flaws being patched; and to image viewers and anti-malware apps knowing how to spot potential trouble in the images they process. Images just aren’t that much of a threat-vector anymore.
As a result, I think the “no images in email” rule mostly makes sense only in situations where there’s a known and nontrivial likelihood of some kind of malfeasance or cyberattack — such as with corporations that receive large quantities of email from the public; for some governmental email accounts; or from similar cases.
IMHO, most normal, private users have little to fear from routine email images. If you employ normal security measures such as having good, up-to-date, full-time anti-malware running; not opening attachments or accepting downloads from unknown sources; making regular, complete backups; and so on; you’ll likely have no image-related security trouble.
If you worry about advertisers knowing that you looked at their emails, you still may want to turn off the image-preview/thumbnail function in your email client.
But a blanket “no images in email” rule is probably overkill for most users. (It is for me: I allow images and image-previews in my email clients.)
In short: If your routine PC security apps and practices are in good order, I think you can re-enable your email images with negligible additional risk.
Permalink: https://wp.me/paaiox-hX
Want free notification of new content like this? Click here!
Have a comment? Want to ask Fred a new question? Click here!
