Microsoft: I have made Notepad✨
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess I'm going to absolutely lose my shit if this ever happens to stock vi. (No, not vim, though I like the context highlighting.)
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
-
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
CNA: Microsoft Corporation.
Published: 2026-02-10
Updated: 2026-02-11Title: Windows Notepad App Remote Code Execution Vulnerability
DescriptionImproper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network
-
CNA: Microsoft Corporation.
Published: 2026-02-10
Updated: 2026-02-11Title: Windows Notepad App Remote Code Execution Vulnerability
DescriptionImproper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network
@HereToChewGum Read the details. There’s no remote execution capability, but rather a user can be tricked into executing code from a remote source.
RCE, as I understand it, doesn’t involve user interaction. This is an ACE, but not an RCE.
-
@HereToChewGum Read the details. There’s no remote execution capability, but rather a user can be tricked into executing code from a remote source.
RCE, as I understand it, doesn’t involve user interaction. This is an ACE, but not an RCE.
The ability to trigger arbitrary code execution (ACE) over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). (Wikipedia)
-
The ability to trigger arbitrary code execution (ACE) over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). (Wikipedia)
It’s not triggered over the network. Read the fine print!
Are you using Grok to talk to me or something?
-
It’s not triggered over the network. Read the fine print!
Are you using Grok to talk to me or something?
I was hoping you would explain what you mean. It is possible that having read the fine print I misunderstood or simpy missed something.
MS describes it as a remote code execution vulnerability.
So maybe you could explain why they are wrong.
Hopefully being able to do that without being insulting is within the apparently limited scope of your social interaction ability?
-
R relay@relay.an.exchange shared this topic
-
I was hoping you would explain what you mean. It is possible that having read the fine print I misunderstood or simpy missed something.
MS describes it as a remote code execution vulnerability.
So maybe you could explain why they are wrong.
Hopefully being able to do that without being insulting is within the apparently limited scope of your social interaction ability?
@HereToChewGum If you want an explanation, bloody ask for one. Quoting text your interlocutor went through is a passive aggressive insult at best.
Especially given how you evidently didn’t put even a shred of effort into reading the damn CVE and its sources yourself.
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
-
P pixelate@tweesecake.social shared this topic
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess its a local client-side bug, not an rce, so really you can also mock them for doing some 15yo bug embellishment shit too
-
R relay@relay.infosec.exchange shared this topic
️