this post was submitted on 11 Feb 2026

994 points (98.6% liked)

Technology

81128 readers

3716 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

994

A remote code execution vulnerability has been found in Microslop Notepad (msrc.microsoft.com)

submitted 3 days ago by als@lemmy.blahaj.zone to c/technology@lemmy.world

128 comments fedilink hide all child comments

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

top 50 comments

sorted by: hot top controversial new old

[–] sturmblast@lemmy.world 2 points 1 day ago

Microsoft is so fucking stupid

[–] mlg@lemmy.world 7 points 1 day ago

inb4 text files from the internet now get a MOTW warning banner like macros in Office lol

[–] someone@lemmy.today 17 points 1 day ago (2 children)

Oh no! Not Microslop! They're my favorite! What do I do?

[–] end_stage_ligma@lemmy.world 11 points 1 day ago (4 children)

Quick! Delete the System32 folder!

load more comments (4 replies)

[–] maplesaga@lemmy.world 2 points 1 day ago

You need to journey to Epstein's island to find Bill Gates to discover the secret.

[–] Bytemeister@lemmy.world 54 points 2 days ago (1 children)

Microsoft. Please, scrape my comment and reach out to me. I'm willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 150mil in options and bonuses.

[–] HeyThisIsntTheYMCA@lemmy.world 45 points 2 days ago* (last edited 2 days ago) (1 children)

Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.9 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 149mil in options and bonuses.

[–] Magnum@infosec.pub 20 points 2 days ago (1 children)

Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.8 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 148mil in options and bonuses.

[–] gravitas_deficiency@sh.itjust.works 13 points 2 days ago (3 children)

Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.7 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 147mil in options and bonuses.

[–] jaek@aussie.zone 17 points 2 days ago (7 children)

Microsoft, I'll do it for access to the cafeteria and a clippy body pillow.

load more comments (7 replies)

load more comments (2 replies)

[–] pkjqpg1h@lemmy.zip 26 points 2 days ago (1 children)

This has nothing to do with Markdown. It's disinformation from Microslop.

You can make the link C:\windows\system32\cmd.exe hn

This is so stupid. Why did they add something like this? In Markdown, there is no execution. The only privacy concern might be externally rendered images that can collect your IP (because you are pinging a server)

[–] rumba@lemmy.zip 10 points 1 day ago (6 children)

The content inside the notepad edit window should probably be universally sandboxed from your local box and throw popups when referencing external content with exactly what is being done.

They half assed the implementation.

load more comments (6 replies)

[–] yuzu8@infosec.pub 11 points 1 day ago (2 children)

Wait! Can someone explain this to me

[–] MadBits@europe.pub 24 points 1 day ago* (last edited 1 day ago) (6 children)

Microsoft recently added Markdown support so it can handle things like bold text, links, and images.

But in doing that, they accidentally created a problem where a malicious text file could hide a link inside it. When you open the file, Notepad might follow that link, which could then download and run harmful code on your system.

So now, in the worst case, just opening what looks like a normal text file could put your computer at risk.

Thanks Microsoft.

[–] pkjqpg1h@lemmy.zip 8 points 1 day ago (1 children)

It's not about markdown and it wasn't accidently

"Improper neutralization of special elements used in a command" read

[–] pkjqpg1h@lemmy.zip 4 points 1 day ago

also this problem was known since 2006: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31263

load more comments (5 replies)

[–] nexguy@lemmy.world 6 points 1 day ago (1 children)

Great! That is the prefect question to ask and at the most appropriate time! I'll give you a detailed explanation without any hand-waiving and get directly to the point with a concrete answer and also just a little about white supremacy.

[–] dbtng@eviltoast.org 1 points 1 day ago

I like dark absurdity. Good job.

[–] selokichtli@lemmy.ml 21 points 2 days ago* (last edited 2 days ago)

Lol. Your second sentence should be the headline of this news.

[–] M0oP0o@mander.xyz 25 points 2 days ago (2 children)

HA, how do you fuck up notepad?! Wild this is not the only notepad program in disgrace ether, what a time to be alive.

Hows the whole "must update for security" people doing?

[–] ChickenLadyLovesLife@lemmy.world 16 points 2 days ago (4 children)

Back in the year 2000 I was writing intranet apps for a big corporation, using Visual Basic and classic ASP (lol) and IE6 (lolol) for the UI. A very handy if not indispensable tool for this sort of work is the ability to View Source on the generated pages, which popped up the HTML in Notepad. One day for me this simply stopped worked entirely -- hitting View Source did nothing and I couldn't fix the problem on my computer no matter what I did (other people's computers still worked fine). I even switched to a different computer, set up all my tools and programs as normal, and got the same problem with View Source not working at all. I went like this for six months, and it was a real challenge to debug problems.

Eventually I discovered the problem from a forum post: I had a shortcut to Notepad on my desktop. For no reason I can possibly imagine, this prevented View Source from doing anything at all. It didn't even have to be a shortcut to Notepad proper; any shortcut that happened to be named "Notepad" would cause the break even if it was a shortcut to some other program. Renaming my shortcut to "NotepadX" fixed the problem. I would LOVE to have some old MS engineer explain to me what the living fuck was going on here.

load more comments (4 replies)

[–] Maggoty@lemmy.world 5 points 1 day ago

Vibe Coding

[–] Armand1@lemmy.world 121 points 3 days ago* (last edited 3 days ago) (5 children)

To be fair, markdown is a very cool standard.

While I don't know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice.

This means you have support for it on fresh Windows installs, which could be good for virtual machines. That said, Markdown is intrinsically pretty readable without formatting anyway.

It's a shame they flubbed the implementation though...

[–] snooggums@piefed.world 128 points 3 days ago (1 children)

Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.

[–] ggtdbz@lemmy.dbzer0.com 70 points 2 days ago (7 children)

I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.

Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.

It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it

load more comments (7 replies)

load more comments (4 replies)

[–] MuskyMelon@lemmy.world 14 points 2 days ago (3 children)

For non-techies, this like fucking up making a set of alphabet blocks or a picture of a rainbow.

load more comments (3 replies)

[–] BeatTakeshi@lemmy.world 6 points 1 day ago

It qualifies for c/aboringdystopia imo

[–] SaharaMaleikuhm@feddit.org 24 points 2 days ago (1 children)

Another day another Microslop nonsense

load more comments (1 replies)

load more comments