This is my favorite part of this story. Do you want remote code execution? Because [fixing things that aren't broken] is how you get remote code execution.
I thought it is by introducing an RCE vulnerability that you get an RCE vulnerability.
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
> * Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.
> According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
> The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
> For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
The low level tool that has served to rescue more systems than I can count does not need to "change" simply because "it happens, bro."
> while we can mechanistically
You can rule it out with process as well. As in "don't change what isn't broken."
> If they can introduce an RCE to Notepad
Then they clearly feel they have no viable competition. This is table stakes. Getting it wrong should lose you most of your customer base overnight. Companies actually used to _work_ this way.
But this is not about how you, but Microsoft, "the corporation that turns updates into chaos,"introduces RCE bugs. And bugs in general: easy to introduce, by action or inaction, when one has absolutely no concern for user satisfaction.
Meanwhile TextEdit on Mac always rendered HTML. Which seems useless until you realize it can also edit and save as HTML. So there's casually a wysiwyg web editor built into macOS that idk how many people use.
I think it's more likely that Microsoft is vibe coding slop garbage to replace their core apps that were literally better.
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
> Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
I have a hard time believing this. I'm pretty sensitive to performance losses and I haven't noticed any difference between those. It wouldn't make sense either, given they should both host the same shell icon views. Are you sure the difference you're seeing is in explorer.exe? As opposed to something else, like a new shell extension or a new filesystem filter driver on Windows 11?
If I have to view an image on Windows, I've long been in the habit of right clicking it and choosing "edit" to open MS Paint because it's so much better and faster than the stock image viewer. It's instant.
I can't think of a metaphor that sounds worse than this in regards to how low the bar has fallen. It's just an image viewer. How hard could they possibly be making it for themselves?
Literally the best parts of Windows have been the parts they forgot existed for 10+ years and never changed.
It's been so weird to watch over the decades as team sizes, budgets, and timelines have exploded even as we've abandoned once-normal things like native GUI applications as too hard in favor of "more efficient" webshit... even as the aforementioned stuff with growing team sizes, budgets, and timelines have happened.
perching_aix|4 days ago
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...
Rohansi|4 days ago
Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.
password4321|4 days ago
> According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
> The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
> For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
themafia|4 days ago
The low level tool that has served to rescue more systems than I can count does not need to "change" simply because "it happens, bro."
> while we can mechanistically
You can rule it out with process as well. As in "don't change what isn't broken."
> If they can introduce an RCE to Notepad
Then they clearly feel they have no viable competition. This is table stakes. Getting it wrong should lose you most of your customer base overnight. Companies actually used to _work_ this way.
replooda|3 days ago
drited|4 days ago
unknown|4 days ago
[deleted]
zadikian|4 days ago
sysguest|4 days ago
maybe we should separate "real origianl text-only editor" from "fancy text editor"?
windows already got wordpad... why even lay a finger on textpad?
LtWorf|4 days ago
zadikian|3 days ago
0xy|4 days ago
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
dataflow|4 days ago
I have a hard time believing this. I'm pretty sensitive to performance losses and I haven't noticed any difference between those. It wouldn't make sense either, given they should both host the same shell icon views. Are you sure the difference you're seeing is in explorer.exe? As opposed to something else, like a new shell extension or a new filesystem filter driver on Windows 11?
steve1977|4 days ago
pooploop64|1 day ago
Literally the best parts of Windows have been the parts they forgot existed for 10+ years and never changed.
bubblewand|4 days ago
coffeebeqn|3 days ago
stevefan1999|4 days ago
krater23|3 days ago
unknown|4 days ago
[deleted]