- cross-posted to:
- blueteamsec@infosec.pub
- cross-posted to:
- blueteamsec@infosec.pub
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
Does notepad even have syntax highlighting?
They should make the web browser render.md. that would be far more useful.
It doesn’t. Whether that remains the case remains to be seen.
My god it’s useless. It’s the most limited markdown editor in the world. It lacks so much basic function that you would have to download an actual markdown editor if you were ever going to use it, so there’s no point in notepad having the functionality, and then at the end of the day it’s in a file format that basically doesn’t exist outside of the web.
Microsoft Word cannot open it. So a Microsoft text editor program, can create a file that a different Microsoft text editor program can’t read, despite markdown being a supposedly universal standard. Wow.