If I'm reading the disclosure correctly, the issue is:
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
@AmeliaBR It took them 25 years, but Microsoft finally figured out how to add RCE to notepad.exe.
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
@AmeliaBR “So, don't open strange files & then click links.” Sage advice for all circumstances!
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
@AmeliaBR there was a 'phoning home' thing in Windows Notepad too if I remember correctly, don't have a source to hand. Possibly an unwanted OneDrive sync thing?
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
@AmeliaBR or remove notepad... Or Windows
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
-
R relay@relay.infosec.exchange shared this topic
-
@jernej__s Oh interesting, I didn't know the old version was still installed, just not accessible by default. I guess it's there for other apps that call it programmatically to display text output?
I've been happy with Notepad after turning off a lot of settings (including the Markdown formatting one, for reasons unrelated to this bug). But I like the tabbed UI & that it persists drafts after a system reboot.
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
@AmeliaBR I'm trying to understand this. Don't most markdown renderers have the same "vulnerability"? If I render the markdown [random link](mailto:chris@mystic.horse), a user will only see "random link". If they click the link, it'll open an external application and run as them, won't it? What is the difference? How is this remote code execution?
-
RE: https://tech.lgbt/@solonovamax/116049115040950367
If I'm reading the disclosure correctly, the issue is:
- Windows Notepad is more than just a plain text editor now.
- In particular, it has a markdown preview feature, including clickable links.
- But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.So, don't open strange files & then click links. (And update Windows regularly.)
@AmeliaBR I've been using notepad++ for so long I didn't realize notepad had actually changed.. I'm sure the last time I loaded it it was the same as ever..
But taking the simplest app on windows making it insecure takes dedication..
-
R relay@relay.publicsquare.global shared this topic
