Comment on A remote code execution vulnerability has been found in Microslop Notepad
Havatra@lemmy.zip 20 hours ago
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
“launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…
ClassyHatter@sopuli.xyz 18 hours ago
As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.
kernelle@lemmy.dbzer0.com 16 hours ago
RCE means exactly this, the ability to run any code on a remote device (the one running notepad).
It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.
Truscape@lemmy.blahaj.zone 15 hours ago
'cause they did, mate.
regedit@lemmy.zip 13 hours ago
They admitted, IIRC, that they fired a bunch of devs and then used gen-AI to write code. I think I have a comment from last year around this time that this was gonna happen, including data breaches on a massive scale, when companies were openly touting this tactic. It’s only getting started.