They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
Wait! Can someone explain this to me
Microsoft recently added Markdown support so it can handle things like bold text, links, and images.
But in doing that, they accidentally created a problem where a malicious text file could hide a link inside it. When you open the file, Notepad might follow that link, which could then download and run harmful code on your system.
So now, in the worst case, just opening what looks like a normal text file could put your computer at risk.
Thanks Microsoft.
It’s not about markdown and it wasn’t accidently
“Improper neutralization of special elements used in a command” read
also this problem was known since 2006: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31263
Can you elaborate a bit on how notepad following a link can result in running arbitrary code? Cause it sounds more like a second vulnerability is involved, because a text editor following a link still shouldn’t result in running whatever code is on the other side of the link.
Though it is a privacy issue on its own, just like a tracking pixel or images in emails.
I’m also curious what the actual use case is for having a link that notepad automatically follows on load in markdown. Or why they got rid of wordpad (their default rich text editor) and put it into notepad (their plain text editor), ruining one of the reliable things about notepad: it would just show you the actual bytes of the file, whether it was text or not, kinda like a poor man’s hex editor (just without the hex).
Makes me wonder if eventually opening an html file in notepad will make it render it like a browser. “Back in my day, we edited html in notepad instead of browsed it!”
Yeah I get your thought process, but the second vulnerability is actually just how Windows is designed to work. When Notepad follows a link, it isn’t opening a web page, it’s passing a command directly to the OS shell.
Because Notepad is a trusted native application, it bypasses many of the security checks that a browser has.
If the link uses the file:// protocol to point to an .exe on a remote server, or ms-appinstaller to trigger an install, the OS treats that as a direct instruction to launch that software, so it can trigger an app installation prompt or, depending on the exploit, silently side-load malicious packages.
Great! That is the prefect question to ask and at the most appropriate time! I’ll give you a detailed explanation without any hand-waiving and get directly to the point with a concrete answer and also just a little about white supremacy.