R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Saturday, 25th October 2014 @ 06:32:30 GMT 
Reports | Internet Explorer arbitrary command execution (user interaction required)
{26th Sep 2004}
Affected:  Windows XP (SP1)
Windows XP (SP2) - with limitations

Problem: The Internet Explorer "View… Source" feature, appears not to use a fully specified path to notepad.exe.

If an attacker is able to convince the user to download (or otherwise have) a file named notepad.bat / notepad.exe on their desktop, it will be executed when clicking "View… Source" in Internet Explorer.

Additionally on Windows XP (pre SP2) the view source feature can be run automatically on visiting a web page (in service pack 2 the view source feature appears to have been removed, additionally the warning toolbar is displayed).

<html>
<head>
<script language=JavaScript>
function viewsource() {
window.location = "view-source:" + window.location.href
}
</script>
</head>
<body onload="javascript:viewsource()">
<a href="javascript:viewsource()">View Source</a>
</body>
</html>

The problem of view source executing files on the desktop named "notepad" appears to have been known about at least since December 2002.