The problem at hand is not one of Notepad or the view-source protocol, but of the behavior inherant to Internet Explorer on how to handle certain mimetypes and protocols. Your advisory (good as it is) highlights an example of the problem, but disregards the larger picture. Whether or not a specific mimetype or protocol will be automatically opened by the MSHTML renderer is controlled by the EditFlag registry key. Changing bit 0 of byte 2 controls whether the Open/Save dialog box appears or if the content is automatically opened. You could e.g. use this to disable the automatic opening of MIDI files, which would be a very quick way for most domain administrators to efficiently disable the MIDI exploit from last week. You can read more about EditFlag at http://www.cpcug.org/user/clemenzi/technical/WinExplorer/WinExplorerEdit Flags.htm or http://perso.wanadoo.fr/tmcd2/Types.htm As such, this problem is not limited to plaintext messages, but extends to other types of data and other protocols. It's funny that you have looked into this now, I am currently writing up some stuff about inline embedding and automatic execution of media data and exe files in emails (MHTML/EML) which covers the broader picture. I guess the cat is out of the bag now, might as well release that soon ;) Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -----Original Message----- From: Richard M. Smith [mailto:rms@computerbytesman.com] Sent: Monday, August 04, 2003 11:58 AM To: BUGTRAQ@SECURITYFOCUS. COM Subject: Notepad popups in Internet Explorer and Outlook Hi, Do Notepad popups represent a security risk or are they simply another way for spammers and marketers to annoy us? Because of a design flaw in Internet Explorer, Notepad popup windows can be displayed from an HTML email message or Web page regardless of browser security settings. In addition, Notepad popups can access files on a hard disk, possibilly causing stability problems in a Windows saystem. For more details, see: http://www.computerbytesman.com/security/notepadpopups.htm Question: What kind of operating system allows an email message to automatically start up a text editor to change a system file? Richard M. Smith http://www.ComputerBytesMan.com
