Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

  • mlg@lemmy.worldEnglish
    7·
    1 day ago

    inb4 text files from the internet now get a MOTW warning banner like macros in Office lol

  • Bytemeister@lemmy.worldEnglish
    53·
    2 days ago

    Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 150mil in options and bonuses.

    • MinnesotaGoddam@lemmy.worldEnglish
      44·
      2 days ago

      Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.9 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 149mil in options and bonuses.

      • Magnum, P.I.@infosec.pubEnglish
        19·
        2 days ago

        Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.8 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 148mil in options and bonuses.

  • pkjqpg1h@lemmy.zipEnglish
    26·
    2 days ago

    This has nothing to do with Markdown. It’s disinformation from Microslop.

    You can make the link C:\windows\system32\cmd.exe hn

    This is so stupid. Why did they add something like this? In Markdown, there is no execution. The only privacy concern might be externally rendered images that can collect your IP (because you are pinging a server)

    • MadBits@europe.pubEnglish
      251·
      2 days ago

      Microsoft recently added Markdown support so it can handle things like bold text, links, and images.

      But in doing that, they accidentally created a problem where a malicious text file could hide a link inside it. When you open the file, Notepad might follow that link, which could then download and run harmful code on your system.

      So now, in the worst case, just opening what looks like a normal text file could put your computer at risk.

      Thanks Microsoft.

      • pkjqpg1h@lemmy.zipEnglish
        8·
        2 days ago

        It’s not about markdown and it wasn’t accidently

        “Improper neutralization of special elements used in a command” read

      • Buddahriffic@lemmy.worldEnglish
        1·
        2 days ago

        Can you elaborate a bit on how notepad following a link can result in running arbitrary code? Cause it sounds more like a second vulnerability is involved, because a text editor following a link still shouldn’t result in running whatever code is on the other side of the link.

        Though it is a privacy issue on its own, just like a tracking pixel or images in emails.

        I’m also curious what the actual use case is for having a link that notepad automatically follows on load in markdown. Or why they got rid of wordpad (their default rich text editor) and put it into notepad (their plain text editor), ruining one of the reliable things about notepad: it would just show you the actual bytes of the file, whether it was text or not, kinda like a poor man’s hex editor (just without the hex).

        Makes me wonder if eventually opening an html file in notepad will make it render it like a browser. “Back in my day, we edited html in notepad instead of browsed it!”

        • Robust Mirror@aussie.zoneEnglish
          6·
          1 day ago

          Yeah I get your thought process, but the second vulnerability is actually just how Windows is designed to work. When Notepad follows a link, it isn’t opening a web page, it’s passing a command directly to the OS shell.

          Because Notepad is a trusted native application, it bypasses many of the security checks that a browser has.

          If the link uses the file:// protocol to point to an .exe on a remote server, or ms-appinstaller to trigger an install, the OS treats that as a direct instruction to launch that software, so it can trigger an app installation prompt or, depending on the exploit, silently side-load malicious packages.

          • Buddahriffic@lemmy.worldEnglish
            1·
            1 day ago

            I can’t think of any good reason why links opened via notepad should be treated as trusted. Or any remote exe being treated as trusted regardless of what program is trying to open it, including the windows app store. If anything, the default behavior should be to download the file or open a prompt. I’d call that the second flaw.

            Glad to be away from that platform.

            • Robust Mirror@aussie.zoneEnglish
              2·
              11 hours ago

              I fully agree, there isn’t a good reason. The issue is that flaw is a systemic one in Windows.

              Modern operating systems should be operating under zero trust. The fact that Windows still operates on Intranet Era logic, where if a file is reachable, it’s probably safe, is exactly why these exploits keep happening.

              The problem comes down to a Windows API called ShellExecute. When an application like Notepad passes a link to this API, it is effectively saying to the OS, The user wants to open this, figure out how to run it.

              Windows looks at it and essentially says, Oh, it’s an .exe on a network share? The user must want to run that software, launch it, rather than, This is executable code from a network location I don’t control, download it and make the user double-click it themselves.

              The main reason it does this is for legacy enterprise convenience. Decades ago Microsoft designed Windows so that companies could put internal tools on a shared drive and employees could run them instantly. They prioritised seamlessness over security by assuming the network perimeter was the security boundary, and everything on it was there because they wanted it to be.

              Obviously that assumption is dangerous. Like you said, no remote executable should ever be treated as trusted by default, regardless of whether it came from the Store, an SMB share, or a web link. The action of clicking a link should never map directly to execution of code. It should map to retrieval of data. Microsoft basically turned a convenience feature into a permanent vulnerability.

              • Buddahriffic@lemmy.worldEnglish
                1·
                10 hours ago

                Yeah, windows came from a different era where if you’re seeing a new exe, it’s because you put a disk in the drive and explicitly navigated to it. Speaking of which, this isn’t even the first time that convenience ended up opening up a wide security hole because they handled CDs differently and added an autoplay feature that would check the disk for autorun.exe and just run it if autorun was enabled. I started disabling it after word about sony’s rootkits got out but have been appalled to see it enabled by default still ever since then.

                I was one of the few that appreciated UAC when it was there and kept it on one of the stricter settings. I’d rather my PC ask than assume, but people bitched about it so they weakened it and eventually just got rid of it entirely I think?

                Though a permissions setup would be even better. I didn’t like that UAC was an all or nothing prompt, plus it didn’t give any details about what a program wanted to do. Are you asking because this program is trying to create a new directory in program files or because it wants to replace system32 dlls with its own versions?

                It’s an area even Linux can improve in (though probably depends on flavour). I like the android permissions model, where there’s various actions and you can allow or deny categories (though GrapheneOS does it even better by also sandboxing everything). I’d love to see something like that for my desktop, where apps are free to save files but can’t touch files that aren’t their own unless an explicit share is set up, where I might want one app to have network access and no disk access and another to have the opposite. I’d love to be at a state where I could just run any executable from the internet because I know that my OS won’t let it fuck anything up other than its own address space. Hell, could even dedicate a core to monitoring apps to detect if one breaks out of its sandbox without my explicit permission (while the OS also doesn’t use that to enforce the desires of other developers over my own).

    • nexguy@lemmy.worldEnglish
      71·
      2 days ago

      Great! That is the prefect question to ask and at the most appropriate time! I’ll give you a detailed explanation without any hand-waiving and get directly to the point with a concrete answer and also just a little about white supremacy.

  • M0oP0o@mander.xyzEnglish
    25·
    2 days ago

    HA, how do you fuck up notepad?! Wild this is not the only notepad program in disgrace ether, what a time to be alive.

    Hows the whole “must update for security” people doing?

    • ChickenLadyLovesLife@lemmy.worldEnglish
      15·
      2 days ago

      Back in the year 2000 I was writing intranet apps for a big corporation, using Visual Basic and classic ASP (lol) and IE6 (lolol) for the UI. A very handy if not indispensable tool for this sort of work is the ability to View Source on the generated pages, which popped up the HTML in Notepad. One day for me this simply stopped worked entirely – hitting View Source did nothing and I couldn’t fix the problem on my computer no matter what I did (other people’s computers still worked fine). I even switched to a different computer, set up all my tools and programs as normal, and got the same problem with View Source not working at all. I went like this for six months, and it was a real challenge to debug problems.

      Eventually I discovered the problem from a forum post: I had a shortcut to Notepad on my desktop. For no reason I can possibly imagine, this prevented View Source from doing anything at all. It didn’t even have to be a shortcut to Notepad proper; any shortcut that happened to be named “Notepad” would cause the break even if it was a shortcut to some other program. Renaming my shortcut to “NotepadX” fixed the problem. I would LOVE to have some old MS engineer explain to me what the living fuck was going on here.

      • Liketearsinrain@lemmy.mlEnglish
        4·
        2 days ago

        I have a pretty good guess. They were using ShellExecute or a similar API with only "notepad” as a name or “edit” as a verb. The search order would end up finding your shortcut first.

        This would be odd behavior (the path should be be the full path and start at system32) but I don’t have IE6 and Windows 95 to find the exact API lol.

        • ChickenLadyLovesLife@lemmy.worldEnglish
          1·
          2 days ago

          The search order would end up finding your shortcut first.

          Sure, but in my case “Notepad” was a shortcut to actual Notepad.exe. It still should have worked.

      • limelight79@lemmy.worldEnglish
        3·
        2 days ago

        That has to be some kind of special exception in IE6 that they were doing for debugging, and they failed to remove it. Crazy.

  • Armand1@lemmy.worldEnglish
    1201·
    3 days ago

    To be fair, markdown is a very cool standard.

    While I don’t know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice.

    This means you have support for it on fresh Windows installs, which could be good for virtual machines. That said, Markdown is intrinsically pretty readable without formatting anyway.

    It’s a shame they flubbed the implementation though…

    • [deleted]@piefed.worldEnglish
      130·
      3 days ago

      Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.

      • ggtdbz@lemmy.dbzer0.comEnglish
        69·
        3 days ago

        I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.

        Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.

        It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it

        • tate@lemmy.sdf.orgEnglish
          2·
          2 days ago

          MS Word is not a typesetting program. It is a wysiwyg graphics program - a very different beast.

        • ChristerMLB@piefed.socialEnglish
          1·
          2 days ago

          Pretty sure no type setter or graphic designer would use Word for anything else than making Word templates.

        • Log in | Sign up@lemmy.worldEnglish
          2·
          2 days ago

          WordPad writes fairly clean rtf. Word writes incredibly bloated messy rtf. No, I don’t want to use a .docx or .pdf generating library, I just wanna slap some strings together and have it come out ready to print yet editable by non techy users. I use wordpad to write my templates.

        • borari@lemmy.dbzer0.comEnglish
          6·
          3 days ago

          I’m a huge proponent of LaTeX also, but I feel like it’s not that widely used outside of specific professional niches. The biggest issue I have with Word (and similar software) is the content generation and typesetting being forced into the same interface. It just breaks everything all the time. I’d much happier using word if it only allowed you to type in an Edit mode, and only allowed you to change fonts and layout and stuff in a View mode, and the View mode changes weren’t reflected live in the Edit mode.

          • ggtdbz@lemmy.dbzer0.comEnglish
            4·
            3 days ago

            I’ve had to use Office a lot professionally and I have to say you do get to learn its quirks over time if you’re stubborn enough to figure out what triggers each unexpected behavior. Ironically learning LaTeX really helped me figure out what’s happening internally in Word in some of those situations, just understanding how the breaks and spaces might be stored gives you a little extra insight.

            AFAIK you can do something similar to what you’re describing in outline mode but I could be completely misremembering.

            All the Office suite is bloated but LibreOffice still feels a long way off.

      • Armand1@lemmy.worldEnglish
        122·
        3 days ago

        The point is that I’ve seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.

        I’m offering a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature, but it can be a useful feature.

        I’m fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they’ve added it to Notepad or not at this stage, but given all the places they’ve crammed it into I wouldn’t be surprised.

        • forrgott@lemmy.sdf.orgEnglish
          107·
          3 days ago

          …a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature…

          That’s called bloat.

  • MuskyMelon@lemmy.worldEnglish
    13·
    2 days ago

    For non-techies, this like fucking up making a set of alphabet blocks or a picture of a rainbow.

  • FaceDeer@fedia.io
    482·
    3 days ago

    An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad

    So you can give someone a Markdown file with a link to an application, and if they click the link the application runs.

    Markdown supports links, yeah.

    • Echo Dot@feddit.ukEnglish
      623·
      3 days ago

      But Notepad doesn’t, so it shouldn’t render .md files, it should just show the markdown code.

      They keep adding stuff to notepad that no one was asking for. Like tabs and saving on exit, which breaks the workflow of having notepad be a throwaway scratch pad.

      • Taleya@aussie.zoneEnglish
        9·
        2 days ago

        Fucking hell i have notepad++ for that shit.

        Average users don’t need that functionality , and those that do already don’t use notepad for it

        • Echo Dot@feddit.ukEnglish
          1·
          2 days ago

          My god it’s useless. It’s the most limited markdown editor in the world. It lacks so much basic function that you would have to download an actual markdown editor if you were ever going to use it, so there’s no point in notepad having the functionality, and then at the end of the day it’s in a file format that basically doesn’t exist outside of the web.

          Microsoft Word cannot open it. So a Microsoft text editor program, can create a file that a different Microsoft text editor program can’t read, despite markdown being a supposedly universal standard. Wow.

      • PoopingCough@lemmy.worldEnglish
        112·
        3 days ago

        Funnily enough, you used as an example the only new feature I actually like and rely on. I use it for things like PWs for shared service accounts (dont @ me, I know it’s bad practice and our org does have a pw manager but these accounts aren’t managed by it and I am not in control of them)

        Also useful for things that are needed temporarily but I dont know how long that ‘temporary’ is going to be.

        • jj4211@lemmy.worldEnglish
          2·
          2 days ago

          keeppassxc for local password manager. More secure and more helpful UI for that very purpose, also can hold your top and let you ctrl-t the current number into to clipboard.

          • PoopingCough@lemmy.worldEnglish
            1·
            2 days ago

            Good advice, but unfortuntlately my org is pretty strict about using unnaproved software and that’s definitely not on the approved list lol

  • Havatra@lemmy.zipEnglish
    55·
    3 days ago

    An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

    “launching unverified protocols” - does that mean the network fetching is done by the Notepad app, and Notepad doesn’t open the browser for this…? If so, bloody hell, Microsoft…

    • Classy Hatter@sopuli.xyzEnglish
      21·
      3 days ago

      As I understood it, there can be specifically crafted links in Markdown documents, which, when clicked, will download a file and then execute it.

      • kernelle@lemmy.dbzer0.comEnglish
        26·
        3 days ago

        RCE means exactly this, the ability to run any code on a remote device (the one running notepad).

        It’s a parsing issue. I’ve encountered the same writing an MD parser for a website, not as trivial to solve as it seems. For a multi billion dollar company this is hilariously stupid. Why do I get the feeling someone vibecoded this entire implementation.

          • Ænima@lemmy.zipEnglish
            9·
            3 days ago

            They admitted, IIRC, that they fired a bunch of devs and then used gen-AI to write code. I think I have a comment from last year around this time that this was gonna happen, including data breaches on a massive scale, when companies were openly touting this tactic. It’s only getting started.