They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
“launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…
As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.
RCE means exactly this, the ability to run any code on a remote device (the one running notepad).
It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.
'cause they did, mate.
They admitted, IIRC, that they fired a bunch of devs and then used gen-AI to write code. I think I have a comment from last year around this time that this was gonna happen, including data breaches on a massive scale, when companies were openly touting this tactic. It’s only getting started.
To be fair, markdown is a very cool standard.
While I don’t know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice.
This means you have support for it on fresh Windows installs, which could be good for virtual machines. That said, Markdown is intrinsically pretty readable without formatting anyway.
It’s a shame they flubbed the implementation though…
Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.
I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.
Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.
It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it
Have you seen typst? It looks to be similar to LaTeX, but based on markdown.
I’m a huge proponent of LaTeX also, but I feel like it’s not that widely used outside of specific professional niches. The biggest issue I have with Word (and similar software) is the content generation and typesetting being forced into the same interface. It just breaks everything all the time. I’d much happier using word if it only allowed you to type in an Edit mode, and only allowed you to change fonts and layout and stuff in a View mode, and the View mode changes weren’t reflected live in the Edit mode.
I’ve had to use Office a lot professionally and I have to say you do get to learn its quirks over time if you’re stubborn enough to figure out what triggers each unexpected behavior. Ironically learning LaTeX really helped me figure out what’s happening internally in Word in some of those situations, just understanding how the breaks and spaces might be stored gives you a little extra insight.
AFAIK you can do something similar to what you’re describing in outline mode but I could be completely misremembering.
All the Office suite is bloated but LibreOffice still feels a long way off.
https://en.wikipedia.org/wiki/Markdown
Here’s the context if anyone didn’t make the link, like me
What even is the point of this comment?
The point is that I’ve seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.
I’m offering a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature, but it can be a useful feature.
I’m fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they’ve added it to Notepad or not at this stage, but given all the places they’ve crammed it into I wouldn’t be surprised.
…a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature…
That’s called bloat.
It sounds like a link can be a file path and clicking the link just opens the file. If that’s the case, this is effectively the same risk as filesystem shortcuts.
Or the same risk as just clicking on random links.
Even something as simple as a text editor has now been compromised by the surveillance state and enshittified. smh.
Text modified from https://hachyderm.io/@pheonix/116050795790003647
Microslop leads to macroflop.
I read on a Mastodon thread that it isn’t actually an RCE vuln
You have to open a .md in notepad for it toI HATE that the industry started calling these RCE (specifically “passive” RCE). It really muddies the waters.
This isn’t a normal RCE where an attacker can remotely connect in and execute code. Those are very serious.
This is a passive RCE. Basically code injection from inappropriately parsing a file. And it doesn’t need to be remote. You can use a local file.
User interaction required was listed on the MSRC source, but that’s also where “RCE” came from too.
