By Ben Schoor

For those of you who dislike HTML mail, here’s another reason to be perturbed. A Java and HTML vulnerability can be used to eavesdrop on an HTML message that is forwarded, determining who it was forwarded to as well as what text was added by the forwarding party.

Will you have Java with your e-mail?
Here’s how it works. Just like a Web page, an e-mail message can contain JavaScript. People who want to spy on the forwarded message add documented JavaScript to the HTML message, capturing any text added to the message and sending that text to a remote Web server controlled by the snoop.

The really unsettling part is that this exploit works in sort of a continuous cycle. For example, let’s say you receive one of these messages, add your comments, and forward the e-mail to someone else; they reply to the e-mail and send it back to you. Now your comments and the comments of your correspondent can be sent to the originator.

Block those prying eyes
What can you do to prevent this from happening? If you’ve installed the Outlook 2000 SR-1 E-mail Security Update or are running Outlook 2000 SP-2, you’ve already disabled JavaScript in e-mail messages and don’t have to worry about this.

If you’re not interested in downloading Outlook 2000 SP-2, then we recommend manually adjusting the security settings in Outlook.

Figure A

  1. Go to Tools | Options.
  2. Click the Security tab and hit the Zone Settings button.
  3. Click OK when the message pops up.
  4. Select the Restricted Sites zone and hit the Custom Level button.
  5. Scroll down to the Active Scripting setting and select Disable. (Ensure that the Security Level is set on High.) (See Figure A.)
  6. Click OK three times.

A quick note

Be forewarned that this manual adjustment protects you from falling victim to the JavaScript wiretapping, but it doesn’t safeguard the people who send you e-mail.

A word of warning
A vulnerability in Outlook 2000 could allow an HTML message to circumvent your Java security by opening an instance of Internet Explorer with lowered defenses. Microsoft’s fix for this security problem is the Outlook 2000 SR-1 Java Permissions Security Update.

Have handy Outlook tips like these sent directly to your inbox

If you would like to read more tips like this one, sign up for the Outlook TechMail. Let us know what you think about this article and the Outlook TechMail by posting a comment or by sending us a note.