By looking at their 2025 shareholder report (Look for the part below "NOTE 18"), Windows is only at the 5th place in terms of revenue source, even below the LinkedIn:
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
> Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light.
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE
The problem is notepad itself would download and execute bad stuff if you click the evil link. If you would paste that same link in a browser you'd be ok.
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too
Win9x Notepad in particular can only load files up to 64KB in size (edit: and supports only ANSI encoding, no Unicode). There were some actually useful additions to it up until Windows 10 or so - for example being able to handle LF (in addition to CRLF) line endings. But yeah, everything added in Windows 11 is just pure bloat.
Notepad is so slow at loading large files that it crashing quickly is a feature.
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
For those of you on macOS who still want to benefit from arguably the best drawing application ever conceived, https://jspaint.app/ is THE way. Use it all the time when editing screenshots.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
Kind of a weird feeling that in order to get the better Windows 11 experience one requires programs from four operating system versions earlier.
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
I have the mspaint.exe from the same version too :P. It complains about registry stuff on launch but other than that it works fine. There's no spray can in the modern paint!
I feel bad for anyone at MS who thought these applications needed anything more than bugfixes. Welcome to the Notepad team, the entire world would be better off it you did nothing at all!
It needs far more features apparently. Tons more. That's why Notepad++ is popular. Which also had a severe security vulnerability recently. Which was actively exploited by some state actor like China.
The OS provided option can be bare bones, stable, secure and just utilitarian. This promotes having people choose their own tools for the features they want and not really expecting much other than reliability from the OS version. They didn’t need to mess with a good thing.
A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.
> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
> At this point, what am I supposed to do other than uninstall Windows completely?
Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?
There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.
- Windows Sandbox (consumer-level sandbox)
- Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
- HyperV (VM hypervisor)
- Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
>Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.
We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results.
It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”.
"For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text."
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
> nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money.
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
I couldn't agree more. A text editor exposing an attack surface via a network stack is precisely the kind of bloat that makes modern computing ultra-fragile.
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer.
>At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)?
From MSRC:
>How could an attacker exploit this vulnerability?
>An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe
Things started going downhill when they added a Bing option to one of the menus, which was only very recently after they added support for *nix newlines. A very mishandled product, but then the whole OS has been mishandled since 10. Some would say 7.
It'd be more hilarious if it weren't so sad. In just 10 years a disturbingly large number of huge development teams decided that making a GUI application using the old ways [1] was too hard and decided to ship an entire web engine (electron) to render 10 buttons.
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
I'm not sure if we should use "gold standard" together with the little piece of garbage that notepad.exe was for most of its existence. It has been the bane for anyone who had to do work on locked down Windows servers and had to, e.g., edit files with modern encodings. They fixed some of it in the meantime, but the bitter taste remains.
You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh.
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on.
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
There's still old tiny Metapad. And also more modern and fully featured (but still light) Notepad 2/3/4 and Notepad++.
For full replacement, i just renamed all instances to notepad.exe.bak, back then on Windows 7 & 10, and rename-replaced it with metapad.exe. Though, i guess with UWP apps (modern Notepad is one), it's just file associations nowadays. There's surely some mass-reassociate utility around?
Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)
> This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
A utility meant for viewing data? I don't think you understand what a text editor is.
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat.
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files."
Notepad rendering other formats removes one of the specific reasons I use notepad: to strip the stupid formatting that all sorts of applications seem to want to attach to text these days.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
I don’t know if it works for windows but on other operating systems if you hold shift while pasting it strips the special formatting. I don’t have a windows machine readily available but I hope even if it doesn’t work there this will be useful to other people reading the comment. I agree though. Basically the only format I ever want to keep is _sometimes_ the link with text. And even then usually not the exact coloring/indicators.
The funny thing is browsers figured out years ago you need to warn users before launching random protocol handlers. Microsoft added clickable links to Notepad and just skipped that part entirely. It's not even about the feature creep, it's that they reinvented something browsers solved ages ago and somehow forgot why those safeguards existed in the first place.
Haha, yeah.. Im using Notepad2 actually, because for LOOONG time, notepad.exe could not display LF files correctly... and Notepad2 has a bit more features, but still.. clean and lean.
Notepad completely froze up on me the other day, from just closing tabs of text files. It's so bloated its a complete joke, it should be nothing more than text editing, get rid of all the nonsense added to it since win11
Let's ask the obvious. There should be zero vulns in notepad. It should be feature complete since XP. Who approved this vulnerability, and how quickly can they be fired? The App store is a joke. At least call it Notepad 2.0 or some other flashy garbage so we can proactively label the bullshit as such.
i imagine it’s probably something to do with the massive scope creep recently, especially with AI and the Markdown features - they’ve tried to fit some of WordPad’s rich text features following its removal
Yeah the other day in calc.exe I pressed F7 in programmer mode to change to octal (F5 to F8 select Hex, Dec, Oct, Bin), and instead it asked if I was sure I wanted to enable caret browsing.
One of the last straws that got me to migrate to Linux was how long it would take for calc.exe to open in Windows 10. Even on much older computers and much older version of Windows it was instant. Suddenly in the mid-2010's the calculator is so bloated you have to wait a few seconds for it to load? Fuck off.
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
Oof. That's a special kind of stupid. I get how it happened, but like, they found a way to make calc bad while also bringing an obscure feature in modern browsers I hate with a passion.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
Something felt off about your comments, so I checked your account. You signed up almost six years ago, and in all that time made zero submissions and your only comments are these two on this thread? I’ve been seeing this more and more on HN. What exactly is going on here?
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
> Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
It's in fact the opposite. Browsers show a popup that asks if you really intended to click a link with a non http/https handler, notepad does not.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
One of the (not so many) things about Windows that I loved was the zen simplicity of the Notepad. I saw it through Windows 3.1 all the way to the bloated oblivion it was driven to, and I did not like to see that sad, final chapter. (Broader theme, do I miss the simpler computer times!)
It looks like, after Microsoft discontinued WordPad, they want to implement more features into Notepad. If you want simple plain text editor you have to use msedit[1].
You can still open the real notepad, you just have to turn off a "feature" that makes running notepad.exe open the new notepad. Its called "execution alias" or something like that.
I'm frankly amazed that the majority of new laptops still come with Microsoft Windows.
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
Exactly my predicament. My laptop reached EOL but I'm struggling to purchase a new one.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
Yeah it sucks. Got an MBP here which was my refuge from Windows. That's gone to hell too.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
As much as I used to love Sublime, the version switching caught me out which burned me a bit, even if admittedly my v2 key lasted an unreasonable time through the version 3 beta, but I don't want to risk buying a v4 key without a clear roadmap of when they might switch to version 5.
I can definitely vouch for this! I've been using it for many years and it's been essentially the same the whole time: fast, lean and working on all operating systems.
Actually, the big red flag for me was the removal of "My Computer".
Folks, you might still think it's "your computer" but Microsoft clearly doesn't.
You've got something they want and they will stop at nothing to take it from you.
My assumption here is that if the link is web link it will open that link in web browser but Windows (and other OSes) have custom URL handlers that open whatever app is registered for that URL and that app may have issues that causes it to download and run arbitrary code.
Up next: forgotten Piet[1] autorun feature discovered in MS Paint. Customers complain after removal, insist they have existing legacy applications depending on it.
Microsoft is stuck in exactly the same situation Linux is: It has to be all things to all people. It has to be simple enough that grandma can use it, but powerful enough to not alienate their business customers. Putting link-handling (rich text) in Notepad (the plain-text editor) was idiotic, however.
In the past I would have defended Microsoft for this, somehow.
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
I found a simpler explanation for what's going on [1].
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
What other markdown viewers or editors support URL schemes that just execute code? And not in a browser sandbox but in the same security context notepad itself is running in.
Clicking an unknown link shouldn't result in compromise. Fortunately, MS-Windows disallows running anything not vetted by MS unless you figure out how to bypass the "SmartScreen" filter. This filter is super annoying to many a techie or gamer, but for MS-Windows refusing to run "unknown" programs is a feature, not a bug.
So yes, MS will likely denounce this as not their problem and move on.
Even if you want to Notepad have clickable links, maybe not allow it to blindly allow every URL scheme known to man. It seems reasonable to limit it to do http/https and MAYBE mailto.
I want to complain about the terminology used. It is probably just me, but RCE implies no user action required. It is a stupid, bad error yes, but because it requires the user to load a payload file and click on a link I would not really categorize it as a "remote" code execution type vulnerability.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
Yes, that is the definition consistent with historical use of "RCE": a component is accessible in such a way that it is remotely reachable and you can get full code execution access on the machine via that bug (subject to whatever limits the process has within the OS, such as running as a certain user ID or seccomp or such). This attack is less like an RCE in a networked web server and more like bad file parsing in a PDF reader
Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)
I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation
Well, it might be "more secure" in the sense of "no hacker will use it as an attack vector", not necessarily "it is free of security of security bugs".
I 100% agree. I'm just trying to point out the problem isn't Microsoft AI slopping their software. Even if you slopped it, the software could turn out better than what they're putting out.
There must be something much worse than slop going on to get to this point.
By looking at their 2025 shareholder report (Look for the part below "NOTE 18"), Windows is only at the 5th place in terms of revenue source, even below the LinkedIn:
https://www.microsoft.com/investor/reports/ar25/index.html#
I can only think that they do not even care about Windows anymore, let alone Notepad...
It is to do with link handling:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Huh, I'm surprised that is considered a vulnerability, but OSC8 support in Windows Terminal is not. Not sure I understand their rationale. e.g.
> It is to do with link handling:
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
> Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light.
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
9 replies →
What does “unverified protocols” mean? Does Windows have an exe:// url scheme that fetches and runs executable binaries or something?
Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE
3 replies →
Is this a big deal? is it also not a problem with anything that renders clickable links? Browsers, email clients, whatever.
Is this not a problem with anything that offers a preview of markdown (or HTML, or anything with embedded links)?
The problem is notepad itself would download and execute bad stuff if you click the evil link. If you would paste that same link in a browser you'd be ok.
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
1 reply →
I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too
Win9x Notepad in particular can only load files up to 64KB in size (edit: and supports only ANSI encoding, no Unicode). There were some actually useful additions to it up until Windows 10 or so - for example being able to handle LF (in addition to CRLF) line endings. But yeah, everything added in Windows 11 is just pure bloat.
I find notepad useful for sanitising clipboard content.
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
15 replies →
The reason being it is a plain text edit component, with a window around it, hence the limitation.
1 reply →
Notepad is so slow at loading large files that it crashing quickly is a feature.
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
I extracted out notepad.exe, calc.exe and mspaint.exe from Windows 7. I use them on Windows 11. They work perfectly.
For those of you on macOS who still want to benefit from arguably the best drawing application ever conceived, https://jspaint.app/ is THE way. Use it all the time when editing screenshots.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
2 replies →
Kind of a weird feeling that in order to get the better Windows 11 experience one requires programs from four operating system versions earlier.
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
2 replies →
There used to be a website that has these installable.
Update - it's just the games; I thought it had notepad and calc as well
Might as well just use Windows 7 if the security surface is this bad on later windows.
I have the mspaint.exe from the same version too :P. It complains about registry stuff on launch but other than that it works fine. There's no spray can in the modern paint!
3 replies →
I feel bad for anyone at MS who thought these applications needed anything more than bugfixes. Welcome to the Notepad team, the entire world would be better off it you did nothing at all!
> (though the "about notepad" dialog shows the windows 11 version for some reason??)
It's because the program just calls a Windows API to display the version dialog of Windows itself.
Specifically, ShellAbout: https://learn.microsoft.com/en-us/windows/win32/api/shellapi...
How do you edit notes using Microsoft Copilot 365 for Notepad Copilot using that version?
How do you write without being able to read with that version?
you can also just uninstall the "new" notepad, at which point Windows will let you run the old one again (which is still shipped!).
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
What? Did they accidentally revert the improvements they already made to previously shipped versions of the old notepad program?
> What more does notepad need?
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
If you go that far, metapad (from 98) is still better than notepad ever was. Also loads 100k lines files quickly.
Apparently windows 11 still ships with classic notepad?
https://github.com/christian-korneck/classic-windows-notepad
I feel vindicated by reverting to the old windows 10 notepad.exe
> What more does notepad need?
AI! It needs AI. Did I guess it right?
Affermative. You have unlocked the following achievement: "Get a head start of 45 minutes when we start destroying humanity".
2 replies →
It needs far more features apparently. Tons more. That's why Notepad++ is popular. Which also had a severe security vulnerability recently. Which was actively exploited by some state actor like China.
That recent Notepad++ incident was a supply chain attack, not a vulnerability in the original program.
9 replies →
The OS provided option can be bare bones, stable, secure and just utilitarian. This promotes having people choose their own tools for the features they want and not really expecting much other than reliability from the OS version. They didn’t need to mess with a good thing.
Ok, tabs, I do like the tabs.
Get notepad.exe from reactos' nightly ISO, it's in reactos.cab
Extract both the ISO and reactos.cab wth 7zip.
Support for Unix line endings at the very least.
A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
Install vim for Windows. I just use gvim as a notepad replacement. No plugins or anything required.
Well technically Unixes like Linux are a mountain of legacy and they are fine.
Windows is just a mountain of shit.
> a mountain of legacy and they are fine.
telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.
> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.
1 reply →
"Fine"
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
12 replies →
Unixes like Linux are not immune.
2 replies →
> At this point, what am I supposed to do other than uninstall Windows completely?
Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?
There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.
Visual Studio Code was not compromised.
Visual Studio Code is the compromise
Neither is Neovim, Sublime Text, Visual Studio, ed, etc... So what? This is still unacceptable
we still need a mouse icon rce until we reach peak
>No real sandboxing, a mountain of legacy…
You have:
- Windows Sandbox (consumer-level sandbox) - Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access) - HyperV (VM hypervisor) - Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
>Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.
1 reply →
I still use VIM in the terminal. So far, I'm fine, but I assume there's gonna be some inevitable CI/CD compromises sooner or later.
We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results.
1 reply →
It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”.
I think they came up the the exact right answer like:
> How do I add more features to get a promotion
But can it generate qrcode already?
It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”.
27 replies →
"For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text."
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
11 replies →
> nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
12 replies →
There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money.
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
Embarrassing bugs are not RCEs. Also the industry should be more mature now, not less. But move fast and break things, I guess...
4 replies →
To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
1 reply →
https://en.wikipedia.org/wiki/Bush_hid_the_facts
1 reply →
I am pretty sure it's possible to fix that entire category of bugs without introducing RCE vulnerabilities.
1 reply →
Fascinating reading about that bug, thanks for sharing
> Now this is a solved problem
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
It's not solved, we just don't have to guess the encoding any more because it's always UTF-8.
I couldn't agree more. A text editor exposing an attack surface via a network stack is precisely the kind of bloat that makes modern computing ultra-fragile.
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad
Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer.
3 replies →
> FIPS-compliant bindings (OpenSSL)
Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.
The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.
2 replies →
What does notepad need openssl for?
10 replies →
>At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)?
From MSRC:
>How could an attacker exploit this vulnerability?
>An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe
That's why we have text editors, markdown viewers, image viewers, etc.
You were never able to "click a link" in Notepad in the past.
Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them.
1 reply →
Things started going downhill when they added a Bing option to one of the menus, which was only very recently after they added support for *nix newlines. A very mishandled product, but then the whole OS has been mishandled since 10. Some would say 7.
Question is, did they even realize they added a network-aware rendering stack...
Is it giving MS too much credit to suggest that they probably didn't just vibe code their new notepad?
Unfortunately, code execution in text editors aren't a new thing. Vim had one published in 2019: https://github.com/numirias/security/blob/master/doc/2019-06...
Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377
Neither vim nor Notepad are purely for displaying text though.
> Neither vim nor Notepad are purely for displaying text though.
Up until fairly recently, that's exactly all Notepad did.
Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.
vim is a far larger program than a text editor.
notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".
It'd be more hilarious if it weren't so sad. In just 10 years a disturbingly large number of huge development teams decided that making a GUI application using the old ways [1] was too hard and decided to ship an entire web engine (electron) to render 10 buttons.
[1] (native GUI widgets? agggh)
Which 10 buttons?
The day calculator brought me to an MS Store login was the day I became a radical.
Mine was when they asked me to rate the calculator on the store.
2 replies →
> viewing data is a fundamental failure of the principle of least privilege.
I read the cwe not cve, was wrong. It's still early in the morning...
You are mistaken:
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
> If I read it correctly (but could be mistaken), it runs with setuid root
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
4 replies →
I'm not sure if we should use "gold standard" together with the little piece of garbage that notepad.exe was for most of its existence. It has been the bane for anyone who had to do work on locked down Windows servers and had to, e.g., edit files with modern encodings. They fixed some of it in the meantime, but the bitter taste remains.
You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh.
You goto go with the times man, goto write yourself a fulltime job with a legacy.
EDIT: THE OLD NOTEPAD IS STILL IN WINDOWS AND WE CAN USE IT!
https://learn.microsoft.com/en-us/answers/questions/3845356/...
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on.
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
1 reply →
> the purity of "working with what's installed".
Oh, a kindred spirit!
I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.
(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)
5 replies →
There's still old tiny Metapad. And also more modern and fully featured (but still light) Notepad 2/3/4 and Notepad++. For full replacement, i just renamed all instances to notepad.exe.bak, back then on Windows 7 & 10, and rename-replaced it with metapad.exe. Though, i guess with UWP apps (modern Notepad is one), it's just file associations nowadays. There's surely some mass-reassociate utility around?
Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)
2 replies →
EDIT.COM still works in dosbox
6 replies →
Except it keeps reverting to the new notepad every few days….
I’ve been fighting this for the last couple of weeks but it just doesn’t stick
1 reply →
> This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
What's your day job? Are you self employed?
tell this to level N-1 managers that want to get promoted by the only way of "launching features"
A utility meant for viewing data? I don't think you understand what a text editor is.
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat.
They should have called it Emacs. Then everybody would have known.
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files."
I didn't even know Notepad would render Markdown.
Notepad rendering other formats removes one of the specific reasons I use notepad: to strip the stupid formatting that all sorts of applications seem to want to attach to text these days.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
I don’t know if it works for windows but on other operating systems if you hold shift while pasting it strips the special formatting. I don’t have a windows machine readily available but I hope even if it doesn’t work there this will be useful to other people reading the comment. I agree though. Basically the only format I ever want to keep is _sometimes_ the link with text. And even then usually not the exact coloring/indicators.
Windows now has buttons in win-v (the clipboard helper popup) for this
Torture will continue until morale improves
I think it's very recent, I use it almost daily and only last week did I see a markdown file being rendered.
These kind of surprises are the reason why we should switch off auto update on every software.
The funny thing is browsers figured out years ago you need to warn users before launching random protocol handlers. Microsoft added clickable links to Notepad and just skipped that part entirely. It's not even about the feature creep, it's that they reinvented something browsers solved ages ago and somehow forgot why those safeguards existed in the first place.
Notepad had one job, display text. Microsoft decided it needed an attack surface instead.
The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.
More like the year of the Mac OS (or MacBook). Once market saturates with cheap M series you will see everyone switching.
I miss when the Notepad was doing what the Notepad is supposed to do: show a text file, plain and simple.
Haha, yeah.. Im using Notepad2 actually, because for LOOONG time, notepad.exe could not display LF files correctly... and Notepad2 has a bit more features, but still.. clean and lean.
This was already better when the latest from MS was still called "* XP":
https://liquidninja.com/metapad/
Wow that's a hit of nostalgia, I'd completely forgotten about metapad, but I loved it back in the day.
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
2 replies →
I used to overwrite c:\windows\notepad.exe with Metapad. At some point Windows security made this a pain though!
How are these discovered?
Is it just a well informed guess or do people decompile these programs?
Notepad completely froze up on me the other day, from just closing tabs of text files. It's so bloated its a complete joke, it should be nothing more than text editing, get rid of all the nonsense added to it since win11
I used notepad as my default, simple text editor for ages.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
Let's ask the obvious. There should be zero vulns in notepad. It should be feature complete since XP. Who approved this vulnerability, and how quickly can they be fired? The App store is a joke. At least call it Notepad 2.0 or some other flashy garbage so we can proactively label the bullshit as such.
i imagine it’s probably something to do with the massive scope creep recently, especially with AI and the Markdown features - they’ve tried to fit some of WordPad’s rich text features following its removal
[dead]
So what this means is every Windows program is now a cve nightmare (or goldmine, depending on view)?
Yeah the other day in calc.exe I pressed F7 in programmer mode to change to octal (F5 to F8 select Hex, Dec, Oct, Bin), and instead it asked if I was sure I wanted to enable caret browsing.
One of the last straws that got me to migrate to Linux was how long it would take for calc.exe to open in Windows 10. Even on much older computers and much older version of Windows it was instant. Suddenly in the mid-2010's the calculator is so bloated you have to wait a few seconds for it to load? Fuck off.
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
I've found calc's currency converter feature frightening.
Oof. That's a special kind of stupid. I get how it happened, but like, they found a way to make calc bad while also bringing an obscure feature in modern browsers I hate with a passion.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
Always has been.
Notepad had one job... Seems like bringing markdown features killed it :)
Something felt off about your comments, so I checked your account. You signed up almost six years ago, and in all that time made zero submissions and your only comments are these two on this thread? I’ve been seeing this more and more on HN. What exactly is going on here?
Looks like they logged in the first time in years to make a post https://news.ycombinator.com/item?id=46975123
And decided to jump in on some threads just as well.
HN is a psy-op.
Markdown? They shoved copilot into it.
Yeah, way more than the good old Notepad :)
copilot has nothing to do with this vulnerability
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
> Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
It's in fact the opposite. Browsers show a popup that asks if you really intended to click a link with a non http/https handler, notepad does not.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
1 reply →
We got notepad.exe RCE before GTA 6
Bare with me, but im not again' the new Notepad. Its fairly well done - the markdown - and even the AI dropdown presets seem useful.
but I do wish they had called it something else and kept notepad as txt only.
One of the (not so many) things about Windows that I loved was the zen simplicity of the Notepad. I saw it through Windows 3.1 all the way to the bloated oblivion it was driven to, and I did not like to see that sad, final chapter. (Broader theme, do I miss the simpler computer times!)
It looks like, after Microsoft discontinued WordPad, they want to implement more features into Notepad. If you want simple plain text editor you have to use msedit[1].
[1]https://github.com/microsoft/edit
You can still open the real notepad, you just have to turn off a "feature" that makes running notepad.exe open the new notepad. Its called "execution alias" or something like that.
I just use the winxp wordpad.exe. (and calc paint notepad, and I use paint shop pro 4.12)
I'm frankly amazed that the majority of new laptops still come with Microsoft Windows.
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
Old notepad is still in Windows 11 at C:\Windows\notepad.exe
And they even put a nagware in it to point you to the new notepad. Oh MSFT.
Works great still, but now windows won't let me associate .txt files with it. God damn I hate the future
1 reply →
They could've just implemented it in webview2 with all the AI features they want.
Seems whatever they do they step in shit. They should stop doing stuff.
They spent the last few years entirely compromising their products rather than improving them.
Exactly my predicament. My laptop reached EOL but I'm struggling to purchase a new one.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
Yeah it sucks. Got an MBP here which was my refuge from Windows. That's gone to hell too.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
As someone who would like to get a new PC (but a desktop) for coding, and is considering a mac, why would you never buy a mac for coding ?
I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.
1 reply →
Do you have a moment to talk about Linux?
5 replies →
Install Linux
I feel like the process of carving out any meaning out of "QA" is complete. It's cathartic, in its twisted way...
8.8 RCE CVE in notepad.exe. Well done microslop
This wouldn't happen if they'd use more LLM models to triple-check what previous models did during development!
use SublimeText, it is perhaps faster now than the stock Notepad
As much as I used to love Sublime, the version switching caught me out which burned me a bit, even if admittedly my v2 key lasted an unreasonable time through the version 3 beta, but I don't want to risk buying a v4 key without a clear roadmap of when they might switch to version 5.
It’s $99 for something that is almost 5 years old at that point.
I can definitely vouch for this! I've been using it for many years and it's been essentially the same the whole time: fast, lean and working on all operating systems.
Combined with LSP I find it to be quite a good IDE too. Handles extremely large source trees quite well.
Conglatulations Microslop.
Actually, the big red flag for me was the removal of "My Computer". Folks, you might still think it's "your computer" but Microsoft clearly doesn't. You've got something they want and they will stop at nothing to take it from you.
This should be treated as an all-out war.
If you can use Reactos' Notepad.exe from the daily ISO build (extract reactos.cab with 7zip) the better.
> Product
> Windows Notepad
Disambiguation urgently needed.
So notepad now renders links, then when clicks execute the code on those links (not just loading a website in a browser for example)?
I'm at work, on a work computer, so can't fully test, but yes.
I saved this as test.md, opened it in notepad, clicked the link, and it popped open a command line:
[Click me](C:/Windows/System32/cmd.exe)
Can definitely go further than this; just a quick test.
To be fair, though, it's not just a click -> open/run. The user has to `ctrl+click` and will see the source of the link (at least I do).
My assumption here is that if the link is web link it will open that link in web browser but Windows (and other OSes) have custom URL handlers that open whatever app is registered for that URL and that app may have issues that causes it to download and run arbitrary code.
I'd now like to see a RCE in MS Paint or Calculator, if the exploit finder is reading this.
Up next: forgotten Piet[1] autorun feature discovered in MS Paint. Customers complain after removal, insist they have existing legacy applications depending on it.
[1] https://en.wikipedia.org/wiki/Esoteric_programming_language#...
As if you needed another reason to switch to Linux
Just now Notepad integrates very useful copilot assistant... What can go wrong
To be fair this has more to do with Markdown than anything else.
Although I approve of neither feature. notepad should stick with what it does well.
Microsoft is stuck in exactly the same situation Linux is: It has to be all things to all people. It has to be simple enough that grandma can use it, but powerful enough to not alienate their business customers. Putting link-handling (rich text) in Notepad (the plain-text editor) was idiotic, however.
Good job!
In the past I would have defended Microsoft for this, somehow.
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
I found a simpler explanation for what's going on [1].
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
[1]: https://cybersecuritynews.com/windows-notepad-rce-vulnerabil...
[dead]
[dead]
[flagged]
use linux
What AI great job!
Yeah, clicking unverified links in a markdown document to launch an executable....
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
What other markdown viewers or editors support URL schemes that just execute code? And not in a browser sandbox but in the same security context notepad itself is running in.
Clicking an unknown link shouldn't result in compromise. Fortunately, MS-Windows disallows running anything not vetted by MS unless you figure out how to bypass the "SmartScreen" filter. This filter is super annoying to many a techie or gamer, but for MS-Windows refusing to run "unknown" programs is a feature, not a bug.
So yes, MS will likely denounce this as not their problem and move on.
This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.
1 reply →
Notepad was the epitome of a single, well functioning app in Windows for the last eternity of two.
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
Even if you want to Notepad have clickable links, maybe not allow it to blindly allow every URL scheme known to man. It seems reasonable to limit it to do http/https and MAYBE mailto.
I want to complain about the terminology used. It is probably just me, but RCE implies no user action required. It is a stupid, bad error yes, but because it requires the user to load a payload file and click on a link I would not really categorize it as a "remote" code execution type vulnerability.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
Yes, that is the definition consistent with historical use of "RCE": a component is accessible in such a way that it is remotely reachable and you can get full code execution access on the machine via that bug (subject to whatever limits the process has within the OS, such as running as a certain user ID or seccomp or such). This attack is less like an RCE in a networked web server and more like bad file parsing in a PDF reader
Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)
I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation
clicking links should not be a security issue and yes the CVE is totally deserved: that's remote code execution.
You can literally one-shot Opus 4.6 to make a better, faster, safer, more secure notepad.exe than the one that comes with Windows.
This isn't an AI slop problem.
Well, it might be "more secure" in the sense of "no hacker will use it as an attack vector", not necessarily "it is free of security of security bugs".
Tools are almost never the problem.
The application of tools is.
I 100% agree. I'm just trying to point out the problem isn't Microsoft AI slopping their software. Even if you slopped it, the software could turn out better than what they're putting out.
There must be something much worse than slop going on to get to this point.
2 replies →