WingNews logo WingNews
top | item 47161003

(no title)

Rohansi | 4 days ago

> * Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.

Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.

discuss

order

shakna|4 days ago

Thats not the case here.

Web browsers warn you about opening arbitrary protocols. And you have to select the program that will open it.

This Notepad vuln, allows you to click things like ssh://x....

Rohansi|3 days ago

> This Notepad vuln, allows you to click things like ssh://x....

Which just opens up SSH connecting to a server. Is that really RCE?

It'll also only work with URI schemes that are registered on your system. It's not running arbitrary commands - software you install on your PC registers URI schemes and sets what command it should run when opened. It's then up to that software to parse the URI and handle it properly. If it doesn't then the RCE belongs to them because they registered the URI scheme and failed to handle it securely. Having an allowlist of URI schemes in Notepad isn't going to fix it.