Windows Notepad App Remote Code Execution Vulnerability

42 points by cfenollosa

fanf

I liked this summary from Amelia Bellamy-Royds:

If I'm reading the disclosure correctly, the issue is:

Windows Notepad is more than just a plain text editor now.

In particular, it has a markdown preview feature, including clickable links.

But, it doesn't have full web browser security processes for what to do if you click on a link with a protocol that triggers a local application. It gets treated as if the user was directly running that application.

So, don't open strange files & then click links. (And update Windows regularly.)

rcoder

"Just don't do the thing" is terrible security advice, especially in an era where OS + app vendors are bolting "AI" into every product. Even experienced, savvy computer users can't be expected to stop and consider the security implications of every tap or mouse click they make, and when apps literally shipped as part the most popular OS on the planet have gaping security holes it's unfair to shift the responsibility to users for that failing.
- lorddimwit
  
  “Just don’t do the thing” is the best security advice from the other direction though. A feature you don’t add is a feature that can’t have a vulnerability.
  - mort
    
    Telling developers "just don't add the feature" can be excellent security advice. Telling users "just don't do the thing" (which the quoted summary does: "don't open strange files & then click links") is what's being complained about here.
    
    rcoder
    
    I think we (you, @lorddimwit, and I) are in furious agreement on this point
  - refi64
    
    I think that's a slightly harsh interpretation of it. It doesn't really say "haha stupid users, you're obviously just bad at things" or exonerate MS, but it's pretty useful in terms of figuring out how bad it actually was or how at risk you immediately are. Giving workarounds is pretty common practice in a lot of vuln reveals anyway.
- magikid
  
  Don't most markdown renderers have the same vulnerability? If you click this link, it'll open an external application and run as you, won't it? What is the difference? How is this remote code execution?
  - rcoder
    
    Many desktop and mobile apps expose local URL schemes for "deep linking" that triggers other arbitrary behavior. Because they aren't using a standard protocol like http: or mailto:, there's no way for the host OS to know if they're safe to open w/o user confirmation.
    
    To be more concrete: the mailto: URL scheme opens an email client on most systems, but doesn't actually send the email. Apps using custom URLs could take immediate action based on the shared link.
  - freddyb
    
    I think the issue is that browsers are smart enough not to allow all sorts of URL protocols, but notepad wasn't?
    
    radbuglet
    
    For those curious, I think this is the scheme prompting logic used by Firefox. The permission dialog seems to have additional logic specifically to warn users when the deep-link schema is a known wallet URL. This is what Microsoft would have to implement.
    
    Honestly, I'm kinda surprised deep-link warnings—and default applications, to some extent—have to be handled by the browser application rather than by the operating system.
  - olliej
    
    Microsoft is finally acknowledging the competitive threat from notepad++
  - lorddimwit
    
    The student has become the master
  - Garbi
    
    Et tu, notepad?
  - hawski
    
    Does Windows still have the safe mode boot option? If yes which notepad is in it?
    
    sknebel
    
    "Safe mode" never was "less vulnerable mode"?
    
    mort
    
    Probably the same notepad but it'll run without hardware accelerated compositing