Utterly Boring dot com

Yet another reason to ditch MSIE: The Notepad Pop-Up

In case you needed yet another reason to start using another browser, click here (only works if you're running Internet Explorer). If you're using MSIE, clicking on that link will get you a Notepad window, with a bit of text already there.

How does this work? First off, let me credit the site that I saw that described this. The view-source protocol is used by MSIE to view the source of files. So, for example, my link above linked to view-source:http://www.utterlyboring.com/images/msieisbad.txt in the href of the link. While that's not really that evil, it can be used to do some nasty things. On his example page, he shows how it can be loaded upon the page's loading. And the thing is that the protocol doesn't know if it's trying to view the source of an actual HTML file -- you can send a graphic through it as well. And you can also link to local files. For example:

view-source:file:///c:\windows\win.ini
view-source:http://www.google.com

Or via an IMG SRC tag:

<img src=view-source:http://www.utterlyboring.com/images/oregon.gif>

It's a scary little thing. To quote the site about its major problems:

* A Notepad window will pop up automatically in an HTML email message even when scripting is turned off.
* Most popup blocker software packages do not block Notepad popups.
* A simple email HTML message or Web page can easily open thousands of windows causing system stability problems. For example, a single <IMG> tag can tell Notepad to editted the system file c:\windows\system32\shell32.dll and 20 megabytes of virtual memory is consumed. A 100 <IMG> tags would consume 2 gigabytes of virtual memory.
* A Windows system could become corrupted if a user accidentally changes the contents of a system file which appears in Notepad popup window and then saves these changes because they don't know any better.
Thanks, Microsoft, but I'm running Firebird, thank you, very much.

As a side note, I was going to post this over on Bits & Bytes, but it appears they changed the location of their mt.cgi script. Neil, if you're reading this, are you still posting over there? Did I miss something? Did they kick a bunch of off or something?

Posted by Jake on 08/18/03 @ 01:10 PM
Posted in  | Permalink



What are you doing down here? Don't you have something better to do? Like Go Back To The Top of the page, or even see who created this site? This site is © 2001 - 2018 by the Utterly Boring folks at UtterlyBoring.com. Steal my content, as I probably did, too, just link to my site or the original site. Batteries not included. One size fits all. Not for off-road use. Not for internal use. Do not taunt Happy Fun Ball.