Microsoft: I have made Notepad✨
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess I'm going to absolutely lose my shit if this ever happens to stock vi. (No, not vim, though I like the context highlighting.)
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
-
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
CNA: Microsoft Corporation.
Published: 2026-02-10
Updated: 2026-02-11Title: Windows Notepad App Remote Code Execution Vulnerability
DescriptionImproper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network
-
CNA: Microsoft Corporation.
Published: 2026-02-10
Updated: 2026-02-11Title: Windows Notepad App Remote Code Execution Vulnerability
DescriptionImproper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network
@HereToChewGum Read the details. There’s no remote execution capability, but rather a user can be tricked into executing code from a remote source.
RCE, as I understand it, doesn’t involve user interaction. This is an ACE, but not an RCE.
-
@HereToChewGum Read the details. There’s no remote execution capability, but rather a user can be tricked into executing code from a remote source.
RCE, as I understand it, doesn’t involve user interaction. This is an ACE, but not an RCE.
The ability to trigger arbitrary code execution (ACE) over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). (Wikipedia)
-
The ability to trigger arbitrary code execution (ACE) over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). (Wikipedia)
It’s not triggered over the network. Read the fine print!
Are you using Grok to talk to me or something?
-
It’s not triggered over the network. Read the fine print!
Are you using Grok to talk to me or something?
I was hoping you would explain what you mean. It is possible that having read the fine print I misunderstood or simpy missed something.
MS describes it as a remote code execution vulnerability.
So maybe you could explain why they are wrong.
Hopefully being able to do that without being insulting is within the apparently limited scope of your social interaction ability?
-
R ActivityRelay shared this topic
