This is a most excellent place for technology news and articles.
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad
So you can give someone a Markdown file with a link to an application, and if they click the link the application runs.
Markdown supports links, yeah.
But Notepad doesn't, so it shouldn't render .md files, it should just show the markdown code.
They keep adding stuff to notepad that no one was asking for. Like tabs and saving on exit, which breaks the workflow of having notepad be a throwaway scratch pad.
An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
"launching unverified protocols" - does that mean the network fetching is done by the Notepad app, and Notepad doesn't open the browser for this..? If so, bloody hell, Microsoft...
As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.
To be fair, markdown is a very cool standard.
While I don't know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice.
This means you have support for it on fresh Windows installs, which could be good for virtual machines. That said, Markdown is intrinsically pretty readable without formatting anyway.
It's a shame they flubbed the implementation though...
Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.
I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.
Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.
It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it
I’m a huge proponent of LaTeX also, but I feel like it’s not that widely used outside of specific professional niches. The biggest issue I have with Word (and similar software) is the content generation and typesetting being forced into the same interface. It just breaks everything all the time. I’d much happier using word if it only allowed you to type in an Edit mode, and only allowed you to change fonts and layout and stuff in a View mode, and the View mode changes weren’t reflected live in the Edit mode.
What even is the point of this comment?
The point is that I've seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.
I'm offering a counterpoint that this is not necessarily bloat. It's debatable that this is the right tool to have this feature, but it can be a useful feature.
I'm fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they've added it to Notepad or not at this stage, but given all the places they've crammed it into I wouldn't be surprised.
...a counterpoint that this is not necessarily bloat. It's debatable that this is the right tool to have this feature...
That's called bloat.
Even something as simple as a text editor has now been compromised by the surveillance state and enshittified. smh.
It sounds like a link can be a file path and clicking the link just opens the file. If that's the case, this is effectively the same risk as filesystem shortcuts.
Or the same risk as just clicking on random links.
Microslop leads to macroflop.
I read on a Mastodon thread that it isn’t actually an RCE vuln
You have to open a .md in notepad for it to
I HATE that the industry started calling these RCE (specifically "passive" RCE). It really muddies the waters.
This isn't a normal RCE where an attacker can remotely connect in and execute code. Those are very serious.
This is a passive RCE. Basically code injection from inappropriately parsing a file. And it doesn't need to be remote. You can use a local file.
User interaction required was listed on the MSRC source, but that's also where "RCE" came from too.
