They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
To be fair, markdown is a very cool standard.
While I don’t know if it really makes sense for Notepad to be anything other than a plain-text editor, there are better tools for that, supporting markdown is kind of nice.
This means you have support for it on fresh Windows installs, which could be good for virtual machines. That said, Markdown is intrinsically pretty readable without formatting anyway.
It’s a shame they flubbed the implementation though…
Windows used to come with notepad (raw text) and wordpad (basic markup). It would have made more sense to keep wordpad and add markdown to it instead so there would still be something that is just raw text.
I thought the Notepad > Wordpad > MS Word progression was pretty much perfect. A zero complication plaintext editor, something with a bit more formatting, and outright typesetting for print.
Granted I use a combination of Notepad++, Obsidian, and haphazard LaTeX venvs now so who am I to talk. I don’t represent most Windows users and especially not the Linux daily drivers. I’d like to think there’s still a lot of people in my situation.
It says a lot that none of the reasons I like Notepad++ were brought into Notepad when they changed it. A copilot button in the place where I write immediate notes and edit batch files? What could possibly be the use case? I just need it to be able to open massive text files and have a decent search UI and that’s it
I’m a huge proponent of LaTeX also, but I feel like it’s not that widely used outside of specific professional niches. The biggest issue I have with Word (and similar software) is the content generation and typesetting being forced into the same interface. It just breaks everything all the time. I’d much happier using word if it only allowed you to type in an Edit mode, and only allowed you to change fonts and layout and stuff in a View mode, and the View mode changes weren’t reflected live in the Edit mode.
I’ve had to use Office a lot professionally and I have to say you do get to learn its quirks over time if you’re stubborn enough to figure out what triggers each unexpected behavior. Ironically learning LaTeX really helped me figure out what’s happening internally in Word in some of those situations, just understanding how the breaks and spaces might be stored gives you a little extra insight.
AFAIK you can do something similar to what you’re describing in outline mode but I could be completely misremembering.
All the Office suite is bloated but LibreOffice still feels a long way off.
Pretty sure no type setter or graphic designer would use Word for anything else than making Word templates.
WordPad writes fairly clean rtf. Word writes incredibly bloated messy rtf. No, I don’t want to use a .docx or .pdf generating library, I just wanna slap some strings together and have it come out ready to print yet editable by non techy users. I use wordpad to write my templates.
https://en.wikipedia.org/wiki/Markdown
Here’s the context if anyone didn’t make the link, like me
What even is the point of this comment?
The point is that I’ve seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.
I’m offering a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature, but it can be a useful feature.
I’m fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they’ve added it to Notepad or not at this stage, but given all the places they’ve crammed it into I wouldn’t be surprised.
Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 2 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 150mil in options and bonuses.
Microsoft. Please, scrape my comment and reach out to me. I’m willing to be CEO for just 1.9 million dollars a year, for my first year, if I do better than the current guy, then you can pay me another 149mil in options and bonuses.
HA, how do you fuck up notepad?! Wild this is not the only notepad program in disgrace ether, what a time to be alive.
Hows the whole “must update for security” people doing?
Back in the year 2000 I was writing intranet apps for a big corporation, using Visual Basic and classic ASP (lol) and IE6 (lolol) for the UI. A very handy if not indispensable tool for this sort of work is the ability to View Source on the generated pages, which popped up the HTML in Notepad. One day for me this simply stopped worked entirely – hitting View Source did nothing and I couldn’t fix the problem on my computer no matter what I did (other people’s computers still worked fine). I even switched to a different computer, set up all my tools and programs as normal, and got the same problem with View Source not working at all. I went like this for six months, and it was a real challenge to debug problems.
Eventually I discovered the problem from a forum post: I had a shortcut to Notepad on my desktop. For no reason I can possibly imagine, this prevented View Source from doing anything at all. It didn’t even have to be a shortcut to Notepad proper; any shortcut that happened to be named “Notepad” would cause the break even if it was a shortcut to some other program. Renaming my shortcut to “NotepadX” fixed the problem. I would LOVE to have some old MS engineer explain to me what the living fuck was going on here.
I have a pretty good guess. They were using ShellExecute or a similar API with only "notepad” as a name or “edit” as a verb. The search order would end up finding your shortcut first.
This would be odd behavior (the path should be be the full path and start at system32) but I don’t have IE6 and Windows 95 to find the exact API lol.
The search order would end up finding your shortcut first.
Sure, but in my case “Notepad” was a shortcut to actual Notepad.exe. It still should have worked.
iirc .lnk files didn’t pass along params to the actual executable, at least not in 9x
src: first tech job was at a MS silver partner in the 90s
That has to be some kind of special exception in IE6 that they were doing for debugging, and they failed to remove it. Crazy.
Vibe Coding
Another day another Microslop nonsense
I’d be surprised if it didn’t happen at this point.
Lol. Your second sentence should be the headline of this news.
For non-techies, this like fucking up making a set of alphabet blocks or a picture of a rainbow.
What makes you think there are non-techies on Lemmy?
There’s always wannabes.
Oh no… Am I the non-techies on Lemmy?
Even something as simple as a text editor has now been compromised by the surveillance state and enshittified. smh.
Microslop leads to macroflop.
I use an older version. Am I ok?
If you’re still on windows 10, notepad is fine, but you might not be getting security updates for the whole OS. If you’re on windows 11, notepad is annoying, bloated, has AI, and is a security risk. Also the OS updates you are getting might well be written by AI, and we all know how infallible AI is, right?
Yeah, still on Win10. I’m in the process of building a new computer right now. It will be duel boot, in Linux/ Win11. I intend to continue using my old Win10 machine though for some things. I’ll leave it offline.
You know your notepad version?
it’s spiral bound, college ruled, uh, smells of cat hair
Text modified from https://hachyderm.io/@pheonix/116050795790003647
paint still good, right?
It qualifies for c/aboringdystopia imo
inb4 text files from the internet now get a MOTW warning banner like macros in Office lol
Microsoft is so fucking stupid
cat index.txt hello world^M
/cr/n seems safe
This is the way now…
