Comment by Rohansi
5 hours ago
> This Notepad vuln, allows you to click things like ssh://x....
Which just opens up SSH connecting to a server. Is that really RCE?
It'll also only work with URI schemes that are registered on your system. It's not running arbitrary commands - software you install on your PC registers URI schemes and sets what command it should run when opened. It's then up to that software to parse the URI and handle it properly. If it doesn't then the RCE belongs to them because they registered the URI scheme and failed to handle it securely. Having an allowlist of URI schemes in Notepad isn't going to fix it.
It doesn't only work with protocols registered by "your system" - Notepad doesn't register protocols. And Notepad is the user agent, here.
It works with your _locally_ registered protocols, not just the _remote_ protocols.
Which is why it works with JScript. And Powershell. And Visual Basic.
This is a bug that replicates why IE 4 was called insecure. Its not something that should ever surface again, today.
It is... The exact example of what an RCE is. _Local_ code executed by a _remote_ command.