Submitted 2 weeks ago by als@lemmy.blahaj.zone to technology@lemmy.world
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 150mil in options and bonuses.
Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 149mil in options and bonuses.
Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.8 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 148mil in options and bonuses.
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
“launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…
As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.
RCE means exactly this, the ability to run any code on a remote device (the one running notepad).
It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.
This has nothing to do with Markdown. It’s disinformation from Microslop.
You can make the link
C:\windows\system32\cmd.exehn
This is so stupid. Why did they add something like this? In Markdown, there is no execution. The only privacy concern might be externally rendered images that can collect your IP (because you are pinging a server)
The content inside the notepad edit window should probably be universally sandboxed from your local box and throw popups when referencing external content with exactly what is being done.
They half assed the implementation.
To have something optimized they need to start from scratch with clean code
related:
The content inside the notepad edit window should probably be universally sandboxed from your local box
Sadly, this was already the case when Notepad stayed in its lane and only handled plain text unicode.
HA, how do you fuck up notepad?! Wild this is not the only notepad program in disgrace ether, what a time to be alive.
Hows the whole “must update for security” people doing?
Back in the year 2000 I was writing intranet apps for a big corporation, using Visual Basic and classic ASP (lol) and IE6 (lolol) for the UI. A very handy if not indispensable tool for this sort of work is the ability to View Source on the generated pages, which popped up the HTML in Notepad. One day for me this simply stopped worked entirely – hitting View Source did nothing and I couldn’t fix the problem on my computer no matter what I did (other people’s computers still worked fine). I even switched to a different computer, set up all my tools and programs as normal, and got the same problem with View Source not working at all. I went like this for six months, and it was a real challenge to debug problems.
Eventually I discovered the problem from a forum post: I had a shortcut to Notepad on my desktop. For no reason I can possibly imagine, this prevented View Source from doing anything at all. It didn’t even have to be a shortcut to Notepad proper; any shortcut that happened to be named “Notepad” would cause the break even if it was a shortcut to some other program. Renaming my shortcut to “NotepadX” fixed the problem. I would LOVE to have some old MS engineer explain to me what the living fuck was going on here.
I have a pretty good guess. They were using ShellExecute or a similar API with only "notepad” as a name or “edit” as a verb. The search order would end up finding your shortcut first.
This would be odd behavior (the path should be be the full path and start at system32) but I don’t have IE6 and Windows 95 to find the exact API lol.
That has to be some kind of special exception in IE6 that they were doing for debugging, and they failed to remove it. Crazy.
Vibe Coding
Another day another Microslop nonsense
I’d be surprised if it didn’t happen at this point.
Lol. Your first sentence should be the headline of this news.
Oh no! Not Microslop! They’re my favorite! What do I do?
Quick! Delete the System32 folder!
done
You need to journey to Epstein’s island to find Bill Gates to discover the secret.
done
I miss oldskool Notepad being present on the system. Win11 Notepad is a worthless piece of shit.
But … any computer or vm that I use for more than a few hours gets a copy of Metapad.
I’ve been using Metapad for … umm … decades.
Metapad is a simple, extremely lightweight editor, intended to just barely be better than Notepad, fixes a lot of shit that MS never did and stays simple.
liquidninja.com/metapad/
I’ve been a long time user of Notepad++ after Notepad started inserting random whitespace characters in files, which messed up some jankety scripting I was doing at the time. Do you happen to know if Metapad is good about not adding unintended characters like that?
Yes. Metapad is too dumb for that shit. By design.
It’s only barely smart enough to be better than Notepad.
It’s not smart enough to do anything dumb.
Its free, extremely mature, and you already know how to use it.
Metapad is a feature-for-feature drop-in replacement for Notepad.
I use EditPadLite and have done for a loong time. It has regex find and replace, is fast and you can tell it to display word wrapped or not, numbered lines or not, font, size, colours, syntax highlighting scheme, all based on file extensions. I have it as my default text editor and for all kinds of other files as well as text.
If I want to do major coding, I fire up the IDE and choose from my recent projects, but if I want to quickly edit some xml or a single source file, I double click it and edit it in EditPadLite.
Windows 11 ltsc comes with old Notepad. Looks like the same one from Windows 10.
Metapad gang +1
Back in the old Web 1.0 days I used to label my websites “Coded by Notepad.exe”.
Well, you couldn’t pay me to use today’s Notepad. But Metapad fills that gap perfectly.
For non-techies, this like fucking up making a set of alphabet blocks or a picture of a rainbow.
Microslop leads to macroflop.
Wait! Can someone explain this to me
Microsoft recently added Markdown support so it can handle things like bold text, links, and images.
But in doing that, they accidentally created a problem where a malicious text file could hide a link inside it. When you open the file, Notepad might follow that link, which could then download and run harmful code on your system.
So now, in the worst case, just opening what looks like a normal text file could put your computer at risk.
It’s not about markdown and it wasn’t accidently
“Improper neutralization of special elements used in a command” read
Can you elaborate a bit on how notepad following a link can result in running arbitrary code? Cause it sounds more like a second vulnerability is involved, because a text editor following a link still shouldn’t result in running whatever code is on the other side of the link.
Though it is a privacy issue on its own, just like a tracking pixel or images in emails.
I’m also curious what the actual use case is for having a link that notepad automatically follows on load in markdown. Or why they got rid of wordpad (their default rich text editor) and put it into notepad (their plain text editor), ruining one of the reliable things about notepad: it would just show you the actual bytes of the file, whether it was text or not, kinda like a poor man’s hex editor (just without the hex).
Makes me wonder if eventually opening an html file in notepad will make it render it like a browser. “Back in my day, we edited html in notepad instead of browsed it!”
Great! That is the prefect question to ask and at the most appropriate time! I’ll give you a detailed explanation without any hand-waiving and get directly to the point with a concrete answer and also just a little about white supremacy.
I like dark absurdity. Good job.
It sounds like a link can be a file path and clicking the link just opens the file. If that’s the case, this is effectively the same risk as filesystem shortcuts.
Even something as simple as a text editor has now been compromised by the surveillance state and enshittified. smh.
inb4 text files from the internet now get a MOTW warning banner like macros in Office lol
I read on a Mastodon thread that it isn’t actually an RCE vuln
You have to open a .md in notepad for it to
I HATE that the industry started calling these RCE (specifically “passive” RCE). It really muddies the waters.
This isn’t a normal RCE where an attacker can remotely connect in and execute code. Those are very serious.
This is a passive RCE. Basically code injection from inappropriately parsing a file. And it doesn’t need to be remote. You can use a local file.
That’s the opposite of how I would understand it though. If you said a passive RCE I would understand that as it being run without me doing anything - in this case, just having notepad open making me vulnerable.
User interaction required was listed on the MSRC source, but that’s also where “RCE” came from too.
paint still good, right?
Didn’t they remove Paint? (I’ve not used Windows in years).
They did, replacing it with Paint3D. But everybody hated it, and now they added Paint back.
Text modified from hachyderm.io/@pheonix/116050795790003647
I use an older version. Am I ok?
If you’re still on windows 10, now’s is fine, by you might not be getting security updates for the whole OS. If you’re on windows 11, notepad is annoying, bloated, has AI, and is a security risk. Also the OS updates you are getting might well be written by AI, and we all know how infallible AI is, right?
Yeah, still on Win10. I’m in the process of building a new computer right now. It will be duel boot, in Linux/ Win11. I intend to continue using my old Win10 machine though for some things. I’ll leave it offline.
You know your notepad version?
it’s spiral bound
It qualifies for c/aboringdystopia imo
cat index.txt hello world^M
/cr/n seems safe
This is the way now…
Microsoft is so fucking stupid
Armand1@lemmy.world 2 weeks ago
To be fair, markdown is a very cool standard.
While I don’t know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice. Means you have support for it on fresh installs, which could be good for virtual machines.
It’s a shame they flubbed the implementation though…
snooggums@piefed.world 2 weeks ago
Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.
ggtdbz@lemmy.dbzer0.com 2 weeks ago
I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.
Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.
It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it
whyNotSquirrel@sh.itjust.works 2 weeks ago
en.wikipedia.org/wiki/Markdown
Here’s the context if anyone didn’t make the link, like me
BrilliantantTurd4361@sh.itjust.works 2 weeks ago
What even is the point of this comment?
Armand1@lemmy.world 2 weeks ago
The point is that I’ve seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.
I’m offering a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature, but it can be a useful feature.
I’m fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they’ve added it to Notepad or not at this stage, but given all the places they’ve crammed it into I wouldn’t be surprised.