Notepad popups

By Richard M. Smith of www.ComputerBytesMan.com
August 4, 2003

September 2004 Update: Support for the view-source protocol was removed in service pack 2 for Windows XP and therefore notepad popups no longer work on computers running service pack 2.

Do Notepad popups represent a security risk or are they simply another way for spammers and marketers to annoy us? Because of a design flaw in Internet Explorer, Notepad popup windows can be displayed from an HTML email message or Web page regardless of browser security settings. In addition, Notepad popups can access files on a hard disk, possibilly causing stability problems in a Windows saystem.

A Notepad popup is a text window which is displayed by a HTML email message or Web page using the Windows Notepad utility. Click here for a sample popup. (If you are using Internet Explorer for your browser, the demo should have already popped up.)

A Notepad popup Window is displayed in Internet Explorer using the "view-source:" protocol. This protocol takes a complete URL as an argument and displays the HTML source code of the URL in the Notepad utility. For example, this view-source URL shows the HTML source code of the Google home page:

view-source:http://www.google.com

The view-source protocol also works with plain text files as well as files on the local hard drive. For example, this view-source URL will display the win.ini file from the c:\windows directory:

view-source:file:///c:\windows\win.ini

A view-source URL is typically attached to link or a button to show sample HTML or JavaScript code in online Web development tutorial Web pages. Here's one example of this technique:

http://www.websitemedics.com/frames/index.html

In Internet Explorer, the view-source URL can be used in pretty much in any HTML tag that works URLs. For example, this <IMG> will automatically pop up a Notepad window in an HTML email message or Web page when a page is loaded:

<img src=view-source:http://www.computerbytesman.com/security/npexample.txt>

Here are some unfortunate side effects of view-source URLs being allowed in all HTML tags:

A Notepad window will pop up automatically in an HTML email message even when scripting is turned off.
Most popup blocker software packages do not block Notepad popups.
A simple email HTML message or Web page can easily open thousands of windows causing system stability problems. For example, a single <IMG> tag can tell Notepad to editted the system file c:\windows\system32\shell32.dll and 20 megabytes of virtual memory is consumed. A 100 <IMG> tags would consume 2 gigabytes of virtual memory.
A Windows system could become corrupted if a user accidentally changes the contents of a system file which appears in Notepad popup window and then saves these changes because they don't know any better.

These characteristics of Notepad popups can be attractive to spammers and script kiddies.

To eliminate these problems, Internet Explorer needs to be more selective about which HTML tags it allows view-source URLs to be used with. In particular, only the <A> tag should support the view-source URL and JavaScript code should not be able to click on these kinds of links.

In addition, a Web page or HTML email message should not be able to access files residing on the hard disk via a view-source URL.