top | item 46972602

(no title)

r2vcap | 19 days ago

A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.

At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…

discuss

dgxyz|19 days ago

Well technically Unixes like Linux are a mountain of legacy and they are fine.

Windows is just a mountain of shit.

est|18 days ago

> a mountain of legacy and they are fine.

telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.

> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.

nananana9|19 days ago

"Fine"

Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?

direwolf20|19 days ago

Unixes like Linux are not immune.

tristor|18 days ago

> At this point, what am I supposed to do other than uninstall Windows completely?

Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?

There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.

gradientsrneat|18 days ago

That was a CCP group compromising the Notepad++'s underlying hosting provider; not really much to be done there aside from switching hosting providers. The update validation was also improved, and there's also scoop if you don't trust the built-in updater. Fortunately the attack was narrowly targeted and the IOCs are known.

Zenul_Abidin|18 days ago

It was not compromised a few days ago, that's just when the attack was disclosed. The actual compromise and exploitation happened months ago for several weeks.

cookiengineer|18 days ago

I still use VIM in the terminal. So far, I'm fine, but I assume there's gonna be some inevitable CI/CD compromises sooner or later.

agumonkey|19 days ago

we still need a mouse icon rce until we reach peak

TZubiri|19 days ago

>No real sandboxing, a mountain of legacy…

You have:

- Windows Sandbox (consumer-level sandbox) - Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access) - HyperV (VM hypervisor) - Edge Browsers

Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.

michaelsshaw|18 days ago

>Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)

Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.

yoyohello13|18 days ago

Install vim for Windows. I just use gvim as a notepad replacement. No plugins or anything required.

tracker1|18 days ago

There's also good old edit... ;-)

https://github.com/microsoft/edit

Yeah, it's a re-creation of edit, but it's pretty great... also runs outside windows.

karel-3d|18 days ago

Visual Studio Code was not compromised.

guidopallemans|18 days ago

Visual Studio Code is the compromise

michaelsshaw|18 days ago

Neither is Neovim, Sublime Text, Visual Studio, ed, etc... So what? This is still unacceptable