Windows Notepad App Remote Code Execution Vulnerability

Original Article ↗ Hacker News Discussion ↗

What the vulnerability is

  • New Notepad now renders Markdown and makes links clickable.
  • When a Markdown file is opened, clicking certain links causes Notepad to invoke ShellExecute, which happily handles many schemes: local paths, UNC paths (\\server\share\malware.exe), custom URL handlers, etc.
  • This can end up launching and executing remote or local binaries in the user’s security context, giving an attacker the user’s privileges.
  • People demonstrated simple cases like a Markdown link pointing directly to C:\Windows\System32\cmd.exe opening a shell.

Is it really “remote code execution”?

  • Some commenters argue the CVE is legitimate RCE: untrusted content plus a click leads to arbitrary code running.
  • Others say “RCE” is being stretched, since it requires user interaction and often local files; they liken it more to a bad document parser bug than a classic network RCE.
  • There’s also debate over “remote”: remote SMB paths and protocol handlers vs. “you just tricked someone into running an EXE anyway.”

Feature bloat and broken expectations

  • Strong nostalgia for old Notepad as a tiny, predictable, “done” utility: plain text only, no formatting, no networking, good for stripping formatting and safely inspecting files.
  • Many see Markdown rendering, clickable links, Copilot, and other rich features as pure bloat that created this attack surface.
  • The change is framed as violating the principle of least privilege: a simple text editor should not have a network-aware rendering stack or protocol-launching behavior.

Trust in core utilities and security model

  • Notepad is often run as Administrator or used to edit system files, so a high-severity bug here feels especially bad.
  • Some compare this to earlier “you can’t get a virus from X… until Microsoft made that wrong” moments (e.g., media formats, WMF).
  • Others point out that many editors and terminals now make links clickable; the difference is browsers typically prompt before launching non‑http(s) schemes, while Notepad did not.

Workarounds and alternatives

  • Several describe disabling the “execution alias” to restore the classic Notepad that still ships with Windows 11, or copying old Notepad/Calc/Paint binaries from earlier Windows versions.
  • Others recommend msedit, Notepad2/3/4, Notepad++, Sublime Text, Vim, or switching to Linux/BSD or heavy sandboxing/VMs.

Critiques of Microsoft’s direction

  • The bug is held up as emblematic of “enshittification”: resume‑driven feature creep, AI everywhere, UWP bloat, and disregard for stable core tools.
  • Multiple comments argue that Windows core utilities should prioritize minimalism, safety, and backward compatibility over new “product” features.