Play It Safe With the Right Browser Security Settings

The pop-up ad epidemic is irritating--and it's a security threat. The ads, which are Web pages, may contain dangerous programs or scripts; they can hijack your home page or install adware that sprouts more pop-ups. In fact, a booby-trapped pop-up could even steal or delete your data, or install a dialer to seize your Internet connection and reroute it to a dollars-per-minute 900 number. To eliminate these hazards in Internet Explorer, you must check settings for ActiveX controls; in Netscape, Mozilla, or another browser, you must change a JavaScript setting.

For Internet Explorer users, the dangerous code in pop-up pages often appears as an ActiveX control that presents itself for your approval before downloading (see FIGURE 1). Though it looks similar to many safe browser plug-ins that you may have accepted from reputable sites in the past (it may be signed with a certificate, even), the sneaky control actually installs software that displays ads on your PC.

IE can download ActiveX controls and run them much as any other program runs on your PC. By default, IE is configured to ask your permission before downloading and running an ActiveX control from the Internet. If you or anyone else using the computer has changed those settings, however, unwanted programs could launch automatically.

To check your security settings in IE, choose Tools, Internet Options, click the Security tab, select the Internet zone, and confirm that the 'Security level' slider is set to Medium. This setting instructs IE to block the controls that aren't signed with a certificate, and to prompt you for approval before launching ActiveX controls.

If you share the computer with children (or with adults who download first and ask questions later), set the slider to High. This blocks ActiveX content, Java and JavaScript code, and file downloads. Note that disabling these features may cause reliable Web sites not to work as expected--or at all--in your browser.

Because they support Java and JavaScript instead of ActiveX, the most recent versions of IE competitors Netscape, Mozilla, and Opera are safer. But they are not immune to scripting shenanigans.

The default security settings in Mozilla and Netscape--Java enabled, and JavaScript enabled for Web pages but not for e-mail--are sensible. If you want to block the many unscrupulous Web sites from changing your home page, however, simply disable JavaScript altogether: Choose Edit, Preferences, expand the Advanced category, select Scripts & Plugins, uncheck Navigator under 'Enable Java for', and click OK. If you'd like to do the same in Opera, select File, Quick Preferences and then uncheck Enable JavaScript. As with the high security settings of Internet Explorer, you'll find that disabling JavaScript reduces functionality at certain Web sites.

Finally, when you've finished tweaking your browser's security settings, visit one of the many browser security-check Web sites. Scanit and Qualys will point out any chinks in your browser's armor and suggest a fix.

Tighten Up Wi-Fi With WPA

If you use a wireless network, it's likely susceptible to intrusion from neighboring or drive-by snoops. One reason for this is the weak Wired Equivalent Privacy encryption that most wireless cards and routers use. The Wi-Fi Alliance has replaced WEP and its shortcomings with a stronger standard: Wireless Protected Access.

Wireless-networking vendors plan to release WPA driver and firmware updates for many, if not most, of their existing products by summer's end. Go to Microsoft to download Microsoft's WPA update for Windows XP.

Send your questions and tips to nettips@spanbauer.com. We pay $50 for published items. Click here for more Internet Tips. Scott Spanbauer is a contributing editor for PC World.

Safe E-Mail With The Bat

Though Microsoft has done much to safeguard Outlook and Outlook Express against e-mail worms and macro viruses, the programs are still vulnerable, because of their integration with Internet Explorer. Ritlabs claims that its program, The Bat, sidesteps these vulnerabilities by using its own page-rendering engine to display HTML messages. The Bat costs $25 for students, $35 for private individuals, and $45 for businesses; download a 2.4MB, fully functional, 30-day trial version to see whether the e-mail safety it offers is worth the extra bucks.