Comment by perching_aix
19 hours ago
I thought it is by introducing an RCE vulnerability that you get an RCE vulnerability.
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...
> * Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.
Thats not the case here.
Web browsers warn you about opening arbitrary protocols. And you have to select the program that will open it.
This Notepad vuln, allows you to click things like ssh://x....
> This Notepad vuln, allows you to click things like ssh://x....
Which just opens up SSH connecting to a server. Is that really RCE?
It'll also only work with URI schemes that are registered on your system. It's not running arbitrary commands - software you install on your PC registers URI schemes and sets what command it should run when opened. It's then up to that software to parse the URI and handle it properly. If it doesn't then the RCE belongs to them because they registered the URI scheme and failed to handle it securely. Having an allowlist of URI schemes in Notepad isn't going to fix it.
1 reply →
Good point re: "RCE" though the CVSS score is 7.8/high severity; some more flavor per the FAQ at https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
> The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
> For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
But this is not about how you, but Microsoft, "the corporation that turns updates into chaos,"introduces RCE bugs. And bugs in general: easy to introduce, by action or inaction, when one has absolutely no concern for user satisfaction.
What does pet" in "pet vs. cattle" mean?
It comes from the world of systems operations. Something long-lived and trusted, so high emotional attachment (pet), vs. something short-lived that thus does not need to be trusted, so comparatively low emotional attachment (cattle).
For example, Bob's one-of-a-kind trusty server from which Bob is nigh inseparable, vs. a Docker container with a version controlled config you routinely tear down and bring up instances of, maybe even in an automated fashion.
Here this would map to trusty aged codebases you don't touch out of fear and caution, vs. codebases you can confidently touch because the spec, the code, the tests, the tooling, and the processes are solid.
A different mapping: to Microsoft, the users's computers are cattle, but to each individual user, the computer is a pet. Which is why the users keep getting mad when their pet feature gets euthanized.
For development, I'd see a different mapping.
Pets are projects that you toy with and keep adding new features, even when the main objective has been met. Cattle are projects that do what they are supposed to and are left alone.
I'd much rather have Notepad fall into the cattle category.
> Change happens.
The low level tool that has served to rescue more systems than I can count does not need to "change" simply because "it happens, bro."
> while we can mechanistically
You can rule it out with process as well. As in "don't change what isn't broken."
> If they can introduce an RCE to Notepad
Then they clearly feel they have no viable competition. This is table stakes. Getting it wrong should lose you most of your customer base overnight. Companies actually used to _work_ this way.
If I told you to stop using computers, and then you won't have computer problems, I don't think you would find that particularly helpful or charitable either, would you?
What you find a trusty "low-level" tool is a demo application for a basic WYSIWYG text editor. They modernized it so that it remains being perceived that way, instead of letting it be increasingly misclassified as a legacy product for the enthusiast, like you just did.
I thought "basic WYSIWYG text editor" was more WordPad's lane, no? May it rest...
1 reply →