They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
And honestly, that speaks more to the removal of features on the taskbar than Notepad.
One person could have rewritten Notepad from scratch in C++ in a day and bolted in Markdown in a relatively secure fashion in another 2. I doubt security even hit the requirements list. I’m not against moving windows components to Rust. I’ve not against losing features here and there to get there, but blatantly ignoring security because it’s in Rust is downright stupid.
I’m not a programmer, why are people so interested in Rust?
edit: typo
It stops dangerous memory mistakes by design, forces safe handling of data, and eliminates the most commonly used vulnerabilities in C and C++
It encourages secure design, but that forces people who have been writing C/C++ for years to completely rethink how to do many things they’re very proficient at.