Microsoft: I have made Notepad✨
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
-
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
CNA: Microsoft Corporation.
Published: 2026-02-10
Updated: 2026-02-11Title: Windows Notepad App Remote Code Execution Vulnerability
DescriptionImproper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network
-
CNA: Microsoft Corporation.
Published: 2026-02-10
Updated: 2026-02-11Title: Windows Notepad App Remote Code Execution Vulnerability
DescriptionImproper neutralization of special elements used in a command ('command injection') in Windows Notepad App allows an unauthorized attacker to execute code over a network
@HereToChewGum Read the details. There’s no remote execution capability, but rather a user can be tricked into executing code from a remote source.
RCE, as I understand it, doesn’t involve user interaction. This is an ACE, but not an RCE.
-
@HereToChewGum Read the details. There’s no remote execution capability, but rather a user can be tricked into executing code from a remote source.
RCE, as I understand it, doesn’t involve user interaction. This is an ACE, but not an RCE.
The ability to trigger arbitrary code execution (ACE) over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). (Wikipedia)
-
The ability to trigger arbitrary code execution (ACE) over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). (Wikipedia)
It’s not triggered over the network. Read the fine print!
Are you using Grok to talk to me or something?
-
It’s not triggered over the network. Read the fine print!
Are you using Grok to talk to me or something?
I was hoping you would explain what you mean. It is possible that having read the fine print I misunderstood or simpy missed something.
MS describes it as a remote code execution vulnerability.
So maybe you could explain why they are wrong.
Hopefully being able to do that without being insulting is within the apparently limited scope of your social interaction ability?
-
R relay@relay.an.exchange shared this topic
-
I was hoping you would explain what you mean. It is possible that having read the fine print I misunderstood or simpy missed something.
MS describes it as a remote code execution vulnerability.
So maybe you could explain why they are wrong.
Hopefully being able to do that without being insulting is within the apparently limited scope of your social interaction ability?
@HereToChewGum If you want an explanation, bloody ask for one. Quoting text your interlocutor went through is a passive aggressive insult at best.
Especially given how you evidently didn’t put even a shred of effort into reading the damn CVE and its sources yourself.
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
-
P pixelate@tweesecake.social shared this topic
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess its a local client-side bug, not an rce, so really you can also mock them for doing some 15yo bug embellishment shit too
-
R relay@relay.infosec.exchange shared this topic
-
@HereToChewGum If you want an explanation, bloody ask for one. Quoting text your interlocutor went through is a passive aggressive insult at best.
Especially given how you evidently didn’t put even a shred of effort into reading the damn CVE and its sources yourself.
@slotos @HereToChewGum@fosstodon.org Which CVE do you mean exactly? The one titled "Windows Notepad App Remote Code Execution Vulnerability"?
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess I strongly object to the term "perfectly good".
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess
"RCE in notepad.exe"Oh, you mean you opened notepad to demonstrate your RCE?
"NO, RCE IN NOTEPAD.EXE"
ಠ_ಠ
-
> How could an attacker exploit this vulnerability?
>
> An attacker could _trick a user into clicking a malicious link_ inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.That’s not an RCE, is it?
@slotos @tess If I understand that text correctly, though not a security researcher, when they speak of unverified protocols and permission as that user they might be talking about Windows internal system protocols that can do things like change settings, not just basic shit like HTTP yeah? Or am I reading that wrong?
-
@slotos @HereToChewGum@fosstodon.org Which CVE do you mean exactly? The one titled "Windows Notepad App Remote Code Execution Vulnerability"?
@ipaschke Sure bud, now demonstrate an RCE scenario using this vulnerability.
Asking user to paste a text into an app and then click a certain part of it does not constitute an RCE. But what do I know, I’m not an infosec person, I just read what’s written and follow available sources.
-
@slotos @tess If I understand that text correctly, though not a security researcher, when they speak of unverified protocols and permission as that user they might be talking about Windows internal system protocols that can do things like change settings, not just basic shit like HTTP yeah? Or am I reading that wrong?
@x0 If other discussions around this are to be trusted, its using ShellExecute. So probably yes.
All in all, don’t click on interactive elements in random files opened in notepad.
-
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess would never call it "good", but your point still stands -
Microsoft: I have made Notepad
Security researchers: You fucked up a perfectly good plaintext editor is what you did. Look at it. It's got RCEs.
@tess
they basically added a notepad:// handler that was string concatenated to a system call, like basic SQL-injections.
So a markdown file with (simplified)notepad://test.txt && c:\path\to\malware.exe
passed that to cmd.exe for execution.
The fix calls notepad.exe directly with passed-on param string.
-
@tess its a local client-side bug, not an rce, so really you can also mock them for doing some 15yo bug embellishment shit too
@0x00string @tess I have had personal experience with msrc liberally applying rce as well.
I get their argument. Because it can be triggered by a user clicking on a link to open remote content, they classify that as rce.
Pretty much any pattern where a user can be coerced remotely will likely get an rce tag is my guess.
But it does mean that other patterns of passive listening vulnerabilities can get watered down.
-
@0x00string @tess I have had personal experience with msrc liberally applying rce as well.
I get their argument. Because it can be triggered by a user clicking on a link to open remote content, they classify that as rce.
Pretty much any pattern where a user can be coerced remotely will likely get an rce tag is my guess.
But it does mean that other patterns of passive listening vulnerabilities can get watered down.
-
️
