What other markdown viewers or editors support URL schemes that just execute code? And not in a browser sandbox but in the same security context notepad itself is running in.

Funnily enough, the core Windows API here that brings with it support for every URL scheme under the sun is plain old ShellExecute() from the mid-90s IE-in-the-shell era when such support was thought reasonable. (I actually still think it’s reasonable, just not with the OS architectures we have now or had then.)

Notepad was the epitome of a single, well functioning app in Windows for the last eternity of two.

Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.

Clicking an unknown link shouldn't result in compromise. Fortunately, MS-Windows disallows running anything not vetted by MS unless you figure out how to bypass the "SmartScreen" filter. This filter is super annoying to many a techie or gamer, but for MS-Windows refusing to run "unknown" programs is a feature, not a bug.

So yes, MS will likely denounce this as not their problem and move on.

This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.

Funny that since the IE engine was plastered all over the place. Only 98lite could avoid it.

so if you download a random EXE in your browser and run that, it can not result in compromise?

Even if you want to Notepad have clickable links, maybe not allow it to blindly allow every URL scheme known to man. It seems reasonable to limit it to do http/https and MAYBE mailto.

I want to complain about the terminology used. It is probably just me, but RCE implies no user action required. It is a stupid, bad error yes, but because it requires the user to load a payload file and click on a link I would not really categorize it as a "remote" code execution type vulnerability.

But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.

Yes, that is the definition consistent with historical use of "RCE": a component is accessible in such a way that it is remotely reachable and you can get full code execution access on the machine via that bug (subject to whatever limits the process has within the OS, such as running as a certain user ID or seccomp or such). This attack is less like an RCE in a networked web server and more like bad file parsing in a PDF reader

Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)

I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation

clicking links should not be a security issue and yes the CVE is totally deserved: that's remote code execution.

How is the code execution remote?

It's remote from the attacker point of view. It allows to remote execute the code the attacker provided.

It'd be the same to upload a file to a web server that gets to be run by the said web server, except this time it's done with "notepad.exe"