For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad
It only uses OpenSSL-FIPS variant on Linux for the crypt. On Macos and Windows, it uses OS FIPS primitives for it.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377
Neither vim nor Notepad are purely for displaying text though.
notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".
I read the cwe not cve, was wrong. It's still early in the morning...
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default)
And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files.
I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS.
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
It's because the program just calls a Windows API to display the version dialog of Windows itself.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
Ok, tabs, I do like the tabs.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
Windows is just a mountain of shit.
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
I didn't even know Notepad would render Markdown.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
They spent the last few years entirely compromising their products rather than improving them.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
What should I do ?
[1] https://en.wikipedia.org/wiki/Esoteric_programming_language#...
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
So yes, MS will likely denounce this as not their problem and move on.
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
This isn't an AI slop problem.
The application of tools is.
There must be something much worse than slop going on to get to this point.