They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
Microsoft recently added Markdown support so it can handle things like bold text, links, and images.
But in doing that, they accidentally created a problem where a malicious text file could hide a link inside it. When you open the file, Notepad might follow that link, which could then download and run harmful code on your system.
So now, in the worst case, just opening what looks like a normal text file could put your computer at risk.
Thanks Microsoft.
It’s not about markdown and it wasn’t accidently
“Improper neutralization of special elements used in a command” read
also this problem was known since 2006: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31263
Can you elaborate a bit on how notepad following a link can result in running arbitrary code? Cause it sounds more like a second vulnerability is involved, because a text editor following a link still shouldn’t result in running whatever code is on the other side of the link.
Though it is a privacy issue on its own, just like a tracking pixel or images in emails.
I’m also curious what the actual use case is for having a link that notepad automatically follows on load in markdown. Or why they got rid of wordpad (their default rich text editor) and put it into notepad (their plain text editor), ruining one of the reliable things about notepad: it would just show you the actual bytes of the file, whether it was text or not, kinda like a poor man’s hex editor (just without the hex).
Makes me wonder if eventually opening an html file in notepad will make it render it like a browser. “Back in my day, we edited html in notepad instead of browsed it!”
Yeah I get your thought process, but the second vulnerability is actually just how Windows is designed to work. When Notepad follows a link, it isn’t opening a web page, it’s passing a command directly to the OS shell.
Because Notepad is a trusted native application, it bypasses many of the security checks that a browser has.
If the link uses the file:// protocol to point to an .exe on a remote server, or ms-appinstaller to trigger an install, the OS treats that as a direct instruction to launch that software, so it can trigger an app installation prompt or, depending on the exploit, silently side-load malicious packages.
I can’t think of any good reason why links opened via notepad should be treated as trusted. Or any remote exe being treated as trusted regardless of what program is trying to open it, including the windows app store. If anything, the default behavior should be to download the file or open a prompt. I’d call that the second flaw.
Glad to be away from that platform.
I fully agree, there isn’t a good reason. The issue is that flaw is a systemic one in Windows.
Modern operating systems should be operating under zero trust. The fact that Windows still operates on Intranet Era logic, where if a file is reachable, it’s probably safe, is exactly why these exploits keep happening.
The problem comes down to a Windows API called ShellExecute. When an application like Notepad passes a link to this API, it is effectively saying to the OS, The user wants to open this, figure out how to run it.
Windows looks at it and essentially says, Oh, it’s an .exe on a network share? The user must want to run that software, launch it, rather than, This is executable code from a network location I don’t control, download it and make the user double-click it themselves.
The main reason it does this is for legacy enterprise convenience. Decades ago Microsoft designed Windows so that companies could put internal tools on a shared drive and employees could run them instantly. They prioritised seamlessness over security by assuming the network perimeter was the security boundary, and everything on it was there because they wanted it to be.
Obviously that assumption is dangerous. Like you said, no remote executable should ever be treated as trusted by default, regardless of whether it came from the Store, an SMB share, or a web link. The action of clicking a link should never map directly to execution of code. It should map to retrieval of data. Microsoft basically turned a convenience feature into a permanent vulnerability.
Yeah, windows came from a different era where if you’re seeing a new exe, it’s because you put a disk in the drive and explicitly navigated to it. Speaking of which, this isn’t even the first time that convenience ended up opening up a wide security hole because they handled CDs differently and added an autoplay feature that would check the disk for autorun.exe and just run it if autorun was enabled. I started disabling it after word about sony’s rootkits got out but have been appalled to see it enabled by default still ever since then.
I was one of the few that appreciated UAC when it was there and kept it on one of the stricter settings. I’d rather my PC ask than assume, but people bitched about it so they weakened it and eventually just got rid of it entirely I think?
Though a permissions setup would be even better. I didn’t like that UAC was an all or nothing prompt, plus it didn’t give any details about what a program wanted to do. Are you asking because this program is trying to create a new directory in program files or because it wants to replace system32 dlls with its own versions?
It’s an area even Linux can improve in (though probably depends on flavour). I like the android permissions model, where there’s various actions and you can allow or deny categories (though GrapheneOS does it even better by also sandboxing everything). I’d love to see something like that for my desktop, where apps are free to save files but can’t touch files that aren’t their own unless an explicit share is set up, where I might want one app to have network access and no disk access and another to have the opposite. I’d love to be at a state where I could just run any executable from the internet because I know that my OS won’t let it fuck anything up other than its own address space. Hell, could even dedicate a core to monitoring apps to detect if one breaks out of its sandbox without my explicit permission (while the OS also doesn’t use that to enforce the desires of other developers over my own).