top | item 47158047

(no title)

I believe Markdown support is what led to CVE-2026-20841 earlier this month.

20260211 https://news.ycombinator.com/item?id=46971516 Windows Notepad App Remote Code Execution Vulnerability (804 points, 516 comments)

20260210 https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

> "An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad"

Other recent Notepad issues:

20260207 https://news.ycombinator.com/item?id=46927098 Microsoft account bugs locked me out of Notepad – Are thin clients ruining PCs? (187 points, 284 comments)

20260127 https://news.ycombinator.com/item?id=46780451 Windows 11 January Update Breaks Notepad (60 points, 25 comments)

discuss

j2kun|4 days ago

This is my favorite part of this story. Do you want remote code execution? Because [fixing things that aren't broken] is how you get remote code execution.

perching_aix|4 days ago

I thought it is by introducing an RCE vulnerability that you get an RCE vulnerability.

I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.

Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.

* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.

** Under the interpretation that this was an RCE, which I question.

[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...

zadikian|4 days ago

Meanwhile TextEdit on Mac always rendered HTML. Which seems useless until you realize it can also edit and save as HTML. So there's casually a wysiwyg web editor built into macOS that idk how many people use.

0xy|4 days ago

I think it's more likely that Microsoft is vibe coding slop garbage to replace their core apps that were literally better.

Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.

It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.

stevefan1999|4 days ago

Well this is what we call it opportunity cost

krater23|3 days ago

Making automatic updates mandatory is another name for 'Give M$ remote code execution'.

unknown|4 days ago

[deleted]

WithinReason|4 days ago

It was already true that an attacker could trick a user into copying a malicious link inside a file opened in Notepad to their browser, was that also a Remote Code Execution Vulnerability?

JonathonW|4 days ago

You can trick the user into copying the same malicious link, but browsers have generally already implemented the same mitigation that is Microsoft's fix for this issue inside Notepad (specifically, prompting before opening outside applications after the user enters or clicks a URL that isn't one of the built-in schemes).

dec0dedab0de|4 days ago

It looks like the exploit would cause notepad to retrieve and execute arbitrary code when a malicious link is clicked.

iqandjoke|3 days ago

Much worse: CVE-2026-20682 Apple Notes Note Deletion Logic Flaw (An attacker may be able to discover a user’s deleted notes.) Many has not upgraded to iOS 26.3 yet.

asveikau|4 days ago

I believe notepad was originally just a demo of the multi line edit control. Feature creep.