They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
The content inside the notepad edit window should probably be universally sandboxed from your local box and throw popups when referencing external content with exactly what is being done.
They half assed the implementation.
Sadly, this was already the case when Notepad stayed in its lane and only handled plain text unicode.
To have something optimized they need to start from scratch with clean code
related:
And honestly, that speaks more to the removal of features on the taskbar than Notepad.
One person could have rewritten Notepad from scratch in C++ in a day and bolted in Markdown in a relatively secure fashion in another 2. I doubt security even hit the requirements list. I’m not against moving windows components to Rust. I’ve not against losing features here and there to get there, but blatantly ignoring security because it’s in Rust is downright stupid.
I’m not a programmer, why are people so interested in Rust?
edit: typo
It stops dangerous memory mistakes by design, forces safe handling of data, and eliminates the most commonly used vulnerabilities in C and C++
It encourages secure design, but that forces people who have been writing C/C++ for years to completely rethink how to do many things they’re very proficient at.
Rolling out AI with the stated purpose of reducing technical debt is just fucking hilarious to me