Comment by j2kun
16 hours ago
This is my favorite part of this story. Do you want remote code execution? Because [fixing things that aren't broken] is how you get remote code execution.
16 hours ago
This is my favorite part of this story. Do you want remote code execution? Because [fixing things that aren't broken] is how you get remote code execution.
I thought it is by introducing an RCE vulnerability that you get an RCE vulnerability.
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...
> * Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.
Thats not the case here.
Web browsers warn you about opening arbitrary protocols. And you have to select the program that will open it.
This Notepad vuln, allows you to click things like ssh://x....
2 replies →
But this is not about how you, but Microsoft, "the corporation that turns updates into chaos,"introduces RCE bugs. And bugs in general: easy to introduce, by action or inaction, when one has absolutely no concern for user satisfaction.
Good point re: "RCE" though the CVSS score is 7.8/high severity; some more flavor per the FAQ at https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
> The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
> For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
What does pet" in "pet vs. cattle" mean?
It comes from the world of systems operations. Something long-lived and trusted, so high emotional attachment (pet), vs. something short-lived that thus does not need to be trusted, so comparatively low emotional attachment (cattle).
For example, Bob's one-of-a-kind trusty server from which Bob is nigh inseparable, vs. a Docker container with a version controlled config you routinely tear down and bring up instances of, maybe even in an automated fashion.
Here this would map to trusty aged codebases you don't touch out of fear and caution, vs. codebases you can confidently touch because the spec, the code, the tests, the tooling, and the processes are solid.
2 replies →
> Change happens.
The low level tool that has served to rescue more systems than I can count does not need to "change" simply because "it happens, bro."
> while we can mechanistically
You can rule it out with process as well. As in "don't change what isn't broken."
> If they can introduce an RCE to Notepad
Then they clearly feel they have no viable competition. This is table stakes. Getting it wrong should lose you most of your customer base overnight. Companies actually used to _work_ this way.
If I told you to stop using computers, and then you won't have computer problems, I don't think you would find that particularly helpful or charitable either, would you?
What you find a trusty "low-level" tool is a demo application for a basic WYSIWYG text editor. They modernized it so that it remains being perceived that way, instead of letting it be increasingly misclassified as a legacy product for the enthusiast, like you just did.
2 replies →
Meanwhile TextEdit on Mac always rendered HTML. Which seems useless until you realize it can also edit and save as HTML. So there's casually a wysiwyg web editor built into macOS that idk how many people use.
idk maybe TextEdit DOES have some rce not discovered yet?
maybe we should separate "real origianl text-only editor" from "fancy text editor"?
windows already got wordpad... why even lay a finger on textpad?
Windows had wordpad but it was discontinued two years ago : https://en.wikipedia.org/wiki/WordPad
2 replies →
If it also allowed me to type what I want instead of changing every single word due to "spell check" it would actually be a useful tool!
Well this is what we call it opportunity cost
I think it's more likely that Microsoft is vibe coding slop garbage to replace their core apps that were literally better.
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
> Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
I have a hard time believing this. I'm pretty sensitive to performance losses and I haven't noticed any difference between those. It wouldn't make sense either, given they should both host the same shell icon views. Are you sure the difference you're seeing is in explorer.exe? As opposed to something else, like a new shell extension or a new filesystem filter driver on Windows 11?
> As opposed to something else, like a new shell extension or a new filesystem filter driver on Windows 11?
Ultimately, what difference does it make? The file explorer in Windows 10 is much faster than the one in Windows 11, and it's very noticeable. Turn on the old context menus, and try right clicking a file. Instant in Windows 10, visible delay in Windows 11.
It is certainly perceptibly slow. Carried out a test on my 12 year old PC running Win-10 vs a new HP Win11 laptop of my friend which he bought in a hurry before price increases. Opened a directory of several thousand files with nested folders - much slower at navigation. Much slower at opening right-click menus. Much slower at pretty much everything.
M$ has now introduced web-latency into the desktop along with their adoption of web-tech into the OS. You gotta get used to staring at that spinning blue circle, counting the many precious moments of your life draining away.
5 replies →
I measured once. It uses about 50% more resources and offers less feautures (or at least hides existing feautures). You may not have noticed if you had resources to spare.
It does offer some new features for businesses. Nothing useful for the consumer, and nothing to justify the massive performance loss
The Windows computer I have to use at work takes over ten seconds to open the calculator. It literally is faster to type the calculation I want into a search engine and get the results back over the network.
The new calculator even manages to screw up basic input. The old calculator accepted both commas and periods as decimal separator inputs. It just worked no matter what I typed in. The new calculator has some sort of "clever" localization where my inputs change depending on the language of the operating system. My language uses commas so of course it only accepts those. Infuriating. Hope whoever coded this is enjoying their promotion.
5 replies →
Its not faster bereft of context, its just bloated. If you have enough resource to throw at it, its roughly the same. Theres some specific things that can themselves be slower, the Windows 11 Start Menu has had a lot of words written about its new implementation.
3 replies →
The best example is probably the new "Outlook", and I put that name in quotes intentionally.
In case anyone is not aware:
20231109 https://news.ycombinator.com/item?id=38212453 Windows 11 Update 23H2 is stealing users' IMAP credentials (666 points, 278 comments)
> the new Outlook is a thin wrapper around the cloud version, so the IMAP sync happens in the cloud, not locally
1 reply →
[flagged]
1 reply →
If everything is electron then there’s literally no reason to pay for windows since superior OSes can run everything exactly the same
It's been so weird to watch over the decades as team sizes, budgets, and timelines have exploded even as we've abandoned once-normal things like native GUI applications as too hard in favor of "more efficient" webshit... even as the aforementioned stuff with growing team sizes, budgets, and timelines have happened.
What's weird is that AI is supposed to make development easy enough that native applications are just as fast to build than web apps
Somehow in this timeline AI can only be used to make things worse and sloppier
9 replies →