Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

  • Havatra@lemmy.zipEnglish
    35·
    10 hours ago

    An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

    “launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…

    • Classy Hatter@sopuli.xyzEnglish
      9·
      8 hours ago

      As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.

      • kernelle@lemmy.dbzer0.comEnglish
        13·
        6 hours ago

        RCE means exactly this, the ability to run any code on a remote device (the one running notepad).

        It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.

          • Ænima@lemmy.zipEnglish
            3·
            3 hours ago

            They admitted, IIRC, that they fired a bunch of devs and then used gen-AI to write code. I think I have a comment from last year around this time that this was gonna happen, including data breaches on a massive scale, when companies were openly touting this tactic. It’s only getting started.