They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
The point is that I’ve seen several comments on other posts about this vulnerability, and in the body of this one, saying that Notepad is bloated and terrible now.
I’m offering a counterpoint that this is not necessarily bloat. It’s debatable that this is the right tool to have this feature, but it can be a useful feature.
I’m fine with Markdown support, but I wish MS got the message about Copilot being unwanted. Not sure if they’ve added it to Notepad or not at this stage, but given all the places they’ve crammed it into I wouldn’t be surprised.
That’s called bloat.