WingNews logo WingNews
top | item 46972394

(no title)

Fiveplus | 19 days ago

We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.

For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.

At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"

discuss

order

bigfatkitten|19 days ago

> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"

They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.

ThrowawayB7|18 days ago

If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results.

sneak|19 days ago

It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”.

tombert|18 days ago

It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”.

est|18 days ago

I think they came up the the exact right answer like:

> How do I add more features to get a promotion

psychoslave|18 days ago

But can it generate qrcode already?

weinzierl|19 days ago

"For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text."

Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.

I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.

usrbinbash|19 days ago

As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score

> and we have other battles we fight.

Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.

dspillett|19 days ago

> nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem

I wish…

Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.

Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.

Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…

bsza|19 days ago

There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money.

When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.

reyqn|19 days ago

Embarrassing bugs are not RCEs. Also the industry should be more mature now, not less. But move fast and break things, I guess...

nuancebydefault|19 days ago

To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful.

In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.

g947o|19 days ago

I am pretty sure it's possible to fix that entire category of bugs without introducing RCE vulnerabilities.

croes|19 days ago

> Now this is a solved problem

Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters

jama211|19 days ago

Fascinating reading about that bug, thanks for sharing

direwolf20|19 days ago

It's not solved, we just don't have to guess the encoding any more because it's always UTF-8.

keepamovin|19 days ago

I couldn't agree more. A text editor exposing an attack surface via a network stack is precisely the kind of bloat that makes modern computing ultra-fragile.

I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.

It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad

usrbinbash|19 days ago

Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer.

joshuaissac|18 days ago

> FIPS-compliant bindings (OpenSSL)

Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.

The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.

Muromec|19 days ago

What does notepad need openssl for?

JasonADrury|18 days ago

This is all vibecoded FWIW, I think it'd be cool if authors more proactively disclosed this.

cafebabbe|19 days ago

Question is, did they even realize they added a network-aware rendering stack...

autoexec|19 days ago

Is it giving MS too much credit to suggest that they probably didn't just vibe code their new notepad?

gruez|18 days ago

>At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"

But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)?

From MSRC:

>How could an attacker exploit this vulnerability?

>An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe

optymizer|18 days ago

That's why we have text editors, markdown viewers, image viewers, etc.

You were never able to "click a link" in Notepad in the past.

Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them.

kgwxd|19 days ago

The day calculator brought me to an MS Store login was the day I became a radical.

cube00|18 days ago

Mine was when they asked me to rate the calculator on the store.

mr_mitm|19 days ago

Unfortunately, code execution in text editors aren't a new thing. Vim had one published in 2019: https://github.com/numirias/security/blob/master/doc/2019-06...

Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377

Neither vim nor Notepad are purely for displaying text though.

Someone1234|18 days ago

> Neither vim nor Notepad are purely for displaying text though.

Up until fairly recently, that's exactly all Notepad did.

Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.

iso1631|19 days ago

vim is a far larger program than a text editor.

notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".

TZubiri|19 days ago

EDIT: THE OLD NOTEPAD IS STILL IN WINDOWS AND WE CAN USE IT!

https://learn.microsoft.com/en-us/answers/questions/3845356/...

You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D

OLD POST:

This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.

Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.

But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".

BLKNSLVR|19 days ago

I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on.

I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.

MonkeyClub|19 days ago

> the purity of "working with what's installed".

Oh, a kindred spirit!

I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.

(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)

Baerbeisser|18 days ago

There's still old tiny Metapad. And also more modern and fully featured (but still light) Notepad 2/3/4 and Notepad++. For full replacement, i just renamed all instances to notepad.exe.bak, back then on Windows 7 & 10, and rename-replaced it with metapad.exe. Though, i guess with UWP apps (modern Notepad is one), it's just file associations nowadays. There's surely some mass-reassociate utility around?

Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)

JCattheATM|17 days ago

Does Windows come with a compiler I don't know about? Or do you only code batch files and VB Script?

oblio|19 days ago

> This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.

What's your day job? Are you self employed?

autoexec|19 days ago

EDIT.COM still works in dosbox

funnybeam|18 days ago

Except it keeps reverting to the new notepad every few days….

I’ve been fighting this for the last couple of weeks but it just doesn’t stick

titzer|18 days ago

It'd be more hilarious if it weren't so sad. In just 10 years a disturbingly large number of huge development teams decided that making a GUI application using the old ways [1] was too hard and decided to ship an entire web engine (electron) to render 10 buttons.

[1] (native GUI widgets? agggh)

FridgeSeal|18 days ago

Large swathes of this industry have an obsession with investing 10x more resources into the wrong thing, than simply fixing the underlying issue.

Rohansi|18 days ago

Which 10 buttons?

JCattheATM|18 days ago

Things started going downhill when they added a Bing option to one of the menus, which was only very recently after they added support for *nix newlines. A very mishandled product, but then the whole OS has been mishandled since 10. Some would say 7.

numpad0|18 days ago

> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"

Everyone has to prove their worth by involving more people in ever embiggening trainwrecks every quarters in this day and age just to maintain employment, and without tangibly threatening anyone else's while at it. That's where the features are coming from. That's what needs to be fixed. Which also goes way beyond engineering.

consp|19 days ago

> viewing data is a fundamental failure of the principle of least privilege.

I read the cwe not cve, was wrong. It's still early in the morning...

seritools|19 days ago

You are mistaken:

> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.

mwalser|19 days ago

> If I read it correctly (but could be mistaken), it runs with setuid root

I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.

lofaszvanitt|18 days ago

Now imagine that there are people who want to embed video players and image viewing in the terminal :D.

AnonymousPlanet|19 days ago

I'm not sure if we should use "gold standard" together with the little piece of garbage that notepad.exe was for most of its existence. It has been the bane for anyone who had to do work on locked down Windows servers and had to, e.g., edit files with modern encodings. They fixed some of it in the meantime, but the bitter taste remains.

iugtmkbdfil834|19 days ago

You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh.

addhochohoc|19 days ago

You goto go with the times man, goto write yourself a fulltime job with a legacy.

artemonster|19 days ago

tell this to level N-1 managers that want to get promoted by the only way of "launching features"

hennell|19 days ago

A utility meant for viewing data? I don't think you understand what a text editor is.

I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.

ntoskrnl_exe|19 days ago

I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat.

ceving|19 days ago

They should have called it Emacs. Then everybody would have known.