Submitted 19 hours ago by als@lemmy.blahaj.zone to technology@lemmy.world
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
HA, how do you fuck up notepad?! Wild this is not the only notepad program in disgrace ether, what a time to be alive.
Hows the whole “must update for security” people doing?
To be fair, markdown is a very cool standard.
While I don’t know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice. Means you have support for it on fresh installs, which could be good for virtual machines.
It’s a shame they flubbed the implementation though…
Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.
I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.
Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.
It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it
en.wikipedia.org/wiki/Markdown
Here’s the context if anyone didn’t make the link, like me
What even is the point of this comment?
The point is that I’ve seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.
I’m offering a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature, but it can be a useful feature.
I’m fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they’ve added it to Notepad or not at this stage, but given all the places they’ve crammed it into I wouldn’t be surprised.
I use an older version. Am I ok?
You know your notepad version?
Another day another Microslop nonsense
I’d be surprised if it didn’t happen at this point.
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
“launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…
As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.
RCE means exactly this, the ability to run any code on a remote device (the one running notepad).
It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.
I miss oldskool Notepad being present on the system. Win11 Notepad is a worthless piece of shit.
But … any computer or vm that I use for more than a few hours gets a copy of Metapad.
I’ve been using Metapad for … umm … decades.
Metapad is a simple, extremely lightweight editor, intended to just barely be better than Notepad, fixes a lot of shit that MS never did and stays simple.
liquidninja.com/metapad/
I’ve been a long time user of Notepad++ after Notepad started inserting random whitespace characters in files, which messed up some jankety scripting I was doing at the time. Do you happen to know if Metapad is good about not adding unintended characters like that?
Yes. Metapad is too dumb for that shit. By design.
It’s only barely smart enough to be better than Notepad.
It’s not smart enough to do anything dumb.
Its free, extremely mature, and you already know how to use it.
Metapad is a feature-for-feature drop-in replacement for Notepad.
It sounds like a link can be a file path and clicking the link just opens the file. If that’s the case, this is effectively the same risk as filesystem shortcuts.
Microslop leads to macroflop.
Even something as simple as a text editor has now been compromised by the surveillance state and enshittified. smh.
I read on a Mastodon thread that it isn’t actually an RCE vuln
You have to open a .md in notepad for it to
I HATE that the industry started calling these RCE (specifically “passive” RCE). It really muddies the waters.
This isn’t a normal RCE where an attacker can remotely connect in and execute code. Those are very serious.
This is a passive RCE. Basically code injection from inappropriately parsing a file. And it doesn’t need to be remote. You can use a local file.
User interaction required was listed on the MSRC source, but that’s also where “RCE” came from too.
Text modified from hachyderm.io/@pheonix/116050795790003647
Bytemeister@lemmy.world 1 hour ago
Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 150mil in options and bonuses.