Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

  • Bytemeister@lemmy.worldEnglish
    53·
    1 month ago

    Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 150mil in options and bonuses.

    • MinnesotaGoddam@lemmy.worldEnglish
      44·
      1 month ago

      Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.9 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 149mil in options and bonuses.

      • Magnum, P.I.@infosec.pubEnglish
        19·
        1 month ago

        Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.8 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 148mil in options and bonuses.

    • Log in | Sign up@lemmy.worldEnglish
      14·
      1 month ago

      If you’re still on windows 10, notepad is fine, but you might not be getting security updates for the whole OS. If you’re on windows 11, notepad is annoying, bloated, has AI, and is a security risk. Also the OS updates you are getting might well be written by AI, and we all know how infallible AI is, right?

      • Professorozone@lemmy.worldEnglish
        2·
        1 month ago

        Yeah, still on Win10. I’m in the process of building a new computer right now. It will be duel boot, in Linux/ Win11. I intend to continue using my old Win10 machine though for some things. I’ll leave it offline.

  • melsaskca@lemmy.caEnglish
    101·
    1 month ago

    Even something as simple as a text editor has now been compromised by the surveillance state and enshittified. smh.

  • mlg@lemmy.worldEnglish
    7·
    1 month ago

    inb4 text files from the internet now get a MOTW warning banner like macros in Office lol

  • pkjqpg1h@lemmy.zipEnglish
    25·
    1 month ago

    This has nothing to do with Markdown. It’s disinformation from Microslop.

    You can make the link C:\windows\system32\cmd.exe hn

    This is so stupid. Why did they add something like this? In Markdown, there is no execution. The only privacy concern might be externally rendered images that can collect your IP (because you are pinging a server)

  • Havatra@lemmy.zipEnglish
    53·
    1 month ago

    An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

    “launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…

    • Classy Hatter@sopuli.xyzEnglish
      22·
      1 month ago

      As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.

      • kernelle@lemmy.dbzer0.comEnglish
        25·
        1 month ago

        RCE means exactly this, the ability to run any code on a remote device (the one running notepad).

        It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.

          • Ænima@lemmy.zipEnglish
            8·
            1 month ago

            They admitted, IIRC, that they fired a bunch of devs and then used gen-AI to write code. I think I have a comment from last year around this time that this was gonna happen, including data breaches on a massive scale, when companies were openly touting this tactic. It’s only getting started.

  • dbtng@eviltoast.orgEnglish
    182·
    1 month ago

    I miss oldskool Notepad being present on the system. Win11 Notepad is a worthless piece of shit.
    But … any computer or vm that I use for more than a few hours gets a copy of Metapad.

    I’ve been using Metapad for … umm … decades.
    Metapad is a simple, extremely lightweight editor, intended to just barely be better than Notepad, fixes a lot of shit that MS never did and stays simple.
    https://liquidninja.com/metapad/

      • dbtng@eviltoast.orgEnglish
        1·
        1 month ago

        Back in the old Web 1.0 days I used to label my websites “Coded by Notepad.exe”.
        Well, you couldn’t pay me to use today’s Notepad. But Metapad fills that gap perfectly.

    • Professor_Piddles@sh.itjust.worksEnglish
      131·
      1 month ago

      I’ve been a long time user of Notepad++ after Notepad started inserting random whitespace characters in files, which messed up some jankety scripting I was doing at the time. Do you happen to know if Metapad is good about not adding unintended characters like that?

      • Log in | Sign up@lemmy.worldEnglish
        3·
        1 month ago

        I use EditPadLite and have done for a loong time. It has regex find and replace, is fast and you can tell it to display word wrapped or not, numbered lines or not, font, size, colours, syntax highlighting scheme, all based on file extensions. I have it as my default text editor and for all kinds of other files as well as text.

        If I want to do major coding, I fire up the IDE and choose from my recent projects, but if I want to quickly edit some xml or a single source file, I double click it and edit it in EditPadLite.

        • dbtng@eviltoast.orgEnglish
          2·
          1 month ago

          This is the first I’ve heard of EditPadLite. From a cursory examination of their site, it appears to be written with the same general design philosophy as Metapad, albeit not as low profile. I’ll give it a tentative thumbs up.
          The EditPadLite download is 18mb. My copy of Metapad is 190k. Small and fast.

          • Log in | Sign up@lemmy.worldEnglish
            2·
            1 month ago

            The only time it’s ever in the least bit slow to load is when it’s on a onedrive folder at work and Microsoft don’t cache it locally so there’s a delay getting the thing in the first place.

            Does metapad have regex find and replace? If so, smaller and even faster is appealing.

            • dbtng@eviltoast.orgEnglish
              2·
              1 month ago

              The find and replace is based off of the Notepad interface.
              It does support searching for newlines and such, but it doesn’t look like it does full regex.

              • Log in | Sign up@lemmy.worldEnglish
                2·
                1 month ago

                Ah. I use regex replace every week with matching substrings a good few times a month. It’s not any slower to load than notepad and considerably less annoying.

      • dbtng@eviltoast.orgEnglish
        9·
        1 month ago

        Yes. Metapad is too dumb for that shit. By design.
        It’s only barely smart enough to be better than Notepad.
        It’s not smart enough to do anything dumb.

        Its free, extremely mature, and you already know how to use it.
        Metapad is a feature-for-feature drop-in replacement for Notepad.

    • nexguy@lemmy.worldEnglish
      71·
      1 month ago

      Great! That is the prefect question to ask and at the most appropriate time! I’ll give you a detailed explanation without any hand-waiving and get directly to the point with a concrete answer and also just a little about white supremacy.

    • MadBits@europe.pubEnglish
      251·
      1 month ago

      Microsoft recently added Markdown support so it can handle things like bold text, links, and images.

      But in doing that, they accidentally created a problem where a malicious text file could hide a link inside it. When you open the file, Notepad might follow that link, which could then download and run harmful code on your system.

      So now, in the worst case, just opening what looks like a normal text file could put your computer at risk.

      Thanks Microsoft.

      • Buddahriffic@lemmy.worldEnglish
        1·
        1 month ago

        Can you elaborate a bit on how notepad following a link can result in running arbitrary code? Cause it sounds more like a second vulnerability is involved, because a text editor following a link still shouldn’t result in running whatever code is on the other side of the link.

        Though it is a privacy issue on its own, just like a tracking pixel or images in emails.

        I’m also curious what the actual use case is for having a link that notepad automatically follows on load in markdown. Or why they got rid of wordpad (their default rich text editor) and put it into notepad (their plain text editor), ruining one of the reliable things about notepad: it would just show you the actual bytes of the file, whether it was text or not, kinda like a poor man’s hex editor (just without the hex).

        Makes me wonder if eventually opening an html file in notepad will make it render it like a browser. “Back in my day, we edited html in notepad instead of browsed it!”

        • Robust Mirror@aussie.zoneEnglish
          6·
          1 month ago

          Yeah I get your thought process, but the second vulnerability is actually just how Windows is designed to work. When Notepad follows a link, it isn’t opening a web page, it’s passing a command directly to the OS shell.

          Because Notepad is a trusted native application, it bypasses many of the security checks that a browser has.

          If the link uses the file:// protocol to point to an .exe on a remote server, or ms-appinstaller to trigger an install, the OS treats that as a direct instruction to launch that software, so it can trigger an app installation prompt or, depending on the exploit, silently side-load malicious packages.

          • Buddahriffic@lemmy.worldEnglish
            1·
            1 month ago

            I can’t think of any good reason why links opened via notepad should be treated as trusted. Or any remote exe being treated as trusted regardless of what program is trying to open it, including the windows app store. If anything, the default behavior should be to download the file or open a prompt. I’d call that the second flaw.

            Glad to be away from that platform.

            • Robust Mirror@aussie.zoneEnglish
              2·
              1 month ago

              I fully agree, there isn’t a good reason. The issue is that flaw is a systemic one in Windows.

              Modern operating systems should be operating under zero trust. The fact that Windows still operates on Intranet Era logic, where if a file is reachable, it’s probably safe, is exactly why these exploits keep happening.

              The problem comes down to a Windows API called ShellExecute. When an application like Notepad passes a link to this API, it is effectively saying to the OS, The user wants to open this, figure out how to run it.

              Windows looks at it and essentially says, Oh, it’s an .exe on a network share? The user must want to run that software, launch it, rather than, This is executable code from a network location I don’t control, download it and make the user double-click it themselves.

              The main reason it does this is for legacy enterprise convenience. Decades ago Microsoft designed Windows so that companies could put internal tools on a shared drive and employees could run them instantly. They prioritised seamlessness over security by assuming the network perimeter was the security boundary, and everything on it was there because they wanted it to be.

              Obviously that assumption is dangerous. Like you said, no remote executable should ever be treated as trusted by default, regardless of whether it came from the Store, an SMB share, or a web link. The action of clicking a link should never map directly to execution of code. It should map to retrieval of data. Microsoft basically turned a convenience feature into a permanent vulnerability.

              • Buddahriffic@lemmy.worldEnglish
                1·
                30 days ago

                Yeah, windows came from a different era where if you’re seeing a new exe, it’s because you put a disk in the drive and explicitly navigated to it. Speaking of which, this isn’t even the first time that convenience ended up opening up a wide security hole because they handled CDs differently and added an autoplay feature that would check the disk for autorun.exe and just run it if autorun was enabled. I started disabling it after word about sony’s rootkits got out but have been appalled to see it enabled by default still ever since then.

                I was one of the few that appreciated UAC when it was there and kept it on one of the stricter settings. I’d rather my PC ask than assume, but people bitched about it so they weakened it and eventually just got rid of it entirely I think?

                Though a permissions setup would be even better. I didn’t like that UAC was an all or nothing prompt, plus it didn’t give any details about what a program wanted to do. Are you asking because this program is trying to create a new directory in program files or because it wants to replace system32 dlls with its own versions?

                It’s an area even Linux can improve in (though probably depends on flavour). I like the android permissions model, where there’s various actions and you can allow or deny categories (though GrapheneOS does it even better by also sandboxing everything). I’d love to see something like that for my desktop, where apps are free to save files but can’t touch files that aren’t their own unless an explicit share is set up, where I might want one app to have network access and no disk access and another to have the opposite. I’d love to be at a state where I could just run any executable from the internet because I know that my OS won’t let it fuck anything up other than its own address space. Hell, could even dedicate a core to monitoring apps to detect if one breaks out of its sandbox without my explicit permission (while the OS also doesn’t use that to enforce the desires of other developers over my own).

      • pkjqpg1h@lemmy.zipEnglish
        8·
        1 month ago

        It’s not about markdown and it wasn’t accidently

        “Improper neutralization of special elements used in a command” read