cmsix wrote:
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:ar%7h.338203$5R2.182657@pd7urf3no...
>> The single best thing you can do to stop malware from causing a
>> problem with your computer is to run as a standard user. Using a
>> different browser or different email program may help because the
>> alternate programs you use may not be targeted as much as OE or IE.
>> All programs have bugs. Most programs now access the Internet in
>> some way. This gives malware many vectors to attack your computer.
>> Even anti-malware programs can be targeted and used as a vector to
>> install malware. Running as a standard user mitigates the attacks by
>> not allowing the malware access to system files or system registry
>> hives. It can still install but only in the context of the current
>> user. Most malware expects administrator access and fails when it
>> isn't available.
>>
>> Unfortunately running as a standard user is not really an option
>> with XP because Microsoft has encouraged sloppy programming since
>> Windows 95. Many programs expect administrator privileges and fail
>> without them. This is where Vista is exciting. It allows, actually
>> enforces via uac, programs to run in the context of a standard user
>> even if the user is logged on as an administrator. This will help
>> enormously in the fight against malware. If you have ever worked in
>> an environment where everyone runs as a standard user you would know
>> how easy it is to clean most malware infections in this environment
>> if they even succeed in installing at all.
>
> Could you give me a hint how malware can be installed from email read
> as text only? I'm just wondering, since I can't imagine any way that
> can happen. No html email, no spyware, malware, or crapware from the
> mail. Unless I'm wrong.
>
> cmsix
>

If would depend on your email client. All email clients that I am familiar
with don't execute any scripts when set to read plain text so you would be
safe from an email attack. That wasn't the original question. The question
was:

"Is it fair to say that the best two single things you can do to
protected yourself are turn off reading html email and use a browser
that doesn't say Internet Explorer?"

My opinion is they are both good methods to protect yourself but not the
best method as they only protect against specific attack vectors. Running as
a standard user would protect against many attack vectors. Running as a
standard user and reading email in text mode and possibly using a browser
other than IE would give you better protection. I say possibly on the
browser because as Firefox is gaining in popularity with users it is also
gaining in popularity with malware authors. It is hard to say at this point
if IE7 or Firefox is less exploitable. Neither of the current versions have
been out long enough and IE still has the lion's share of the market so is
targeted more.

If you want to totally protect yourself then do all Internet access from a
virtual machine environment. This is what I do when testing different
anti-malware programs. So far I don't know of any malware that can escape
from a virtual environment. It has been theorised that malware could exploit
some of the hardware virtualization methods that both AMD and Intel use but
I don't know of any exploits that have been proven yet.

--
Kerry Brown