Why is it that I spend so much of my life saying, to the collective population of the Internet "Yeah, no shit; we've been saying that for months now, and my customers aren't affected by this, because they use the right clients, and I configure them the right way"?
If that doesn't tell you the whole story, here's a little background, leavened with a little preaching. Eddie? A little bullshitting music, please...
In the beginning was electronic mail. And it was plain text. And everyone saw that it was good.
Come along Netscape Messenger, the mail client included in Netscape's browser package. The good engineers at Netscape decided that their email client ought to understand how to interpret HTML code inside email message bodies. There was no *standard* for that, of course, the standard that did exist specified plain text. "Oh, but obviously they couldn't have thought of this"...
This was a Bad Idea, being, as it was, mostly motivated by the fact that it would make e-junk-mail prettier. But they did it anyway, and, of course, users, not realizing what the long term implications might be (and, ahem blowing off the people giving them good advice) got accustomed to being able to set the fonts and colors in their email, and include pictures.
Well, along came 'web bugs I': since those messages can be HTML, it occured to some marketer that if they included an 'inline image' tag in the spam mail they sent out to people, that they could tell which of those messages were actually *read* by people (using HTML capable mailers -- in our 95% Windows, 90% browser-mailreader environment, that's a walk on), by the fairly simple expedient of making that image tag retrieve a transparent 1-pixel image, and tagging its name so they could tell *which* person read the mail.
This acquired the popular name 'web bug', and was widely viewed as Not A Good Thing, privacy-wise... by the 350 people who were paying any attention at all.
But, in the final analysis, that one didn't raise a major ruckus because all it really denied you was the ability to lie about whether you'd read a piece of mail (and by extension, whether your email address really existed at all). Just like the lovebug virus... which wasn't really very dangerous.
But before we leave that, let's take a quick side trip: web bugs did their dirty deed even if all you did was read the mail. Unlike viruses, you didn't even need to do something ill-advised to get bit. Worse: you couldn't even switch the problem off: neither Netscape nor (as far as I know) Explorer/Outlook allow you to *disable* HTML interpretation in email.
The upshot of that realization, of course, is that it's now possible for someone to send you mail that quietly carbon copies your reply to an unseen third party... and if that message is them replied to and expands into a thread, *all* of those messages will get forwarded on to the Bad Guy.
And, as computer software vendors continue to provide new features that either a) they think we need or b) their corporate parents think will make trying to sell us things easier, and give no thought to the security of the end users, the situation will likely get worse before it gets better.
Unless users complain. If you're an MIS director, *bitch about this long and loudly*. If you're "someone's friend, the computer guy", explain this stuff to them. They really do need to understand. No, *really*.