Originally posted 2 October 2001

The Privacy Foundation reported that Java scripting in an e-mail can be used to track changes and readership of an e-mail. Embedded scripting is unlike attachments in that the script is embedded in an HTML document, all the reader has to do to run the script is to open the e-mail, the reader may not even be aware of a script running.

Scripting is used for features in HTML documents. When you see a pop-page appear, a drop-down menu or a rolling banner ad, that is probably a Java or Windows script at work. Having Java installed on your computer is essential to be able to view most commercial sites. Windows Scripting is also heavily used by web sites and is necessary for a lot of features built into later versions of Windows and MS Office.

It is possible to turn off Java and Windows scripting on a computer and we recommended it last year. However we found turning it off completely made it impossible to surf the web. Settings can be changed to only affect the e-mail program and not the web browser. If you use Outlook, Outlook Express or Netscape 6.0, the following changes should be made to your computer.

Windows Scripting

Open the Control Panel and go to Internet Options, click Security and Resticted Sites. Click on the custom settings and make sure all options are set to disable. The default settings should be set to high.

Outlook Express

Open Outlook Express, click Tools, Options, Security and select Restricted Sites Zone.

Outlook

Outlook 97 users should select Tools, Options, Security, then select Restricted Sites in the Secure Content section. If you are using software that links to Outlook, check that the software continues to work. Problem software includes Net Folders, Intellisync, ACT and any program that links PDAs (Palm Pilots, Psions and Windows CE devices) to Outlook.

Netscape 6

Open Netscape, click on Edit, then Preferences. Click on Category and then Advanced. There should be no "X" next to Enable Javascript for Mail and News. Click on the "OK" button to close.

In Conclusion

Scripting is an essential part of using the web and greatly improves the functions of web sites. Unfortunately scripting also creates opportunities for malicious users. Even though you have disabled scripting for e-mail and restricted sites you may still be at risk from other forms of scripting mischief. Keep your virus checker up to date and be aware of any security issues affecting web browsing.

For further information on Internet security and privacy, visit the Privacy Forum. They have extensive links to this problem and other threats to on-line privacy. Our links page has the privacy forum and other virus and security links.

Updated 26 April 2001