64 comments

[ 2.8 ms ] story [ 65.6 ms ] thread
So what this means is every Windows program is now a cve nightmare (or goldmine, depending on view)?
Yeah, clicking unverified links in a markdown document to launch an executable....

Clicking unknown links is always a bad idea, but a CVE for that? I dunno....

Just now Notepad integrates very useful copilot assistant... What can go wrong
i imagine it’s probably something to do with the massive scope creep recently, especially with AI and the Markdown features - they’ve tried to fit some of WordPad’s rich text features following its removal
I miss when the Notepad was doing what the Notepad is supposed to do: show a text file, plain and simple.
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files."

I didn't even know Notepad would render Markdown.

What AI great job!
Notepad had one job... Seems like bringing markdown features killed it :)
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)

What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...

Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...

We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.

For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.

At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"

Now imagine that there are people who want to embed video players and image viewing in the terminal :D.
Seems whatever they do they step in shit. They should stop doing stuff.

They spent the last few years entirely compromising their products rather than improving them.

I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too
Notepad always used to be essentially the standard MFC multiline text editor control in a window.

Wordpad was the same but a rich text editor control.

There’s very little need for it to have ever become more.

> though the "about notepad" dialog shows the windows 11 version for some reason??

For many built in windows apps, the 'about this program' menu item just invokes a separate program, 'winver'. If you go Start -> Run and type in winver, it does the same thing.

I used notepad as my default, simple text editor for ages.

After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe

A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.

At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…

That was a CCP group compromising the Notepad++'s underlying hosting provider; not really much to be done there aside from switching hosting providers. The update validation was also improved, and there's also scoop if you don't trust the built-in updater. Fortunately the attack was narrowly targeted and the IOCs are known.
We got notepad.exe RCE before GTA 6
So notepad now renders links, then when clicks execute the code on those links (not just loading a website in a browser for example)?
You can literally one-shot Opus 4.6 to make a better, faster, safer, more secure notepad.exe than the one that comes with Windows.

This isn't an AI slop problem.

I'd now like to see a RCE in MS Paint or Calculator, if the exploit finder is reading this.
use SublimeText, it is perhaps faster now than the stock Notepad
8.8 RCE CVE in notepad.exe. Well done microslop
I'm frankly amazed that the majority of new laptops still come with Microsoft Windows.

To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.

At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.

It looks like, after Microsoft discontinued WordPad, they want to implement more features into Notepad. If you want simple plain text editor you have to use msedit[1].

[1]https://github.com/microsoft/edit