They finally did it.
-
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things lmao.
Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology
-
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things lmao.
Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology
@pheonix how are they making the same mistakes in their products since their first email client in the 90s.
Every... Fucking... Time...
How
-
@pheonix How can you fuckup Markdown support so hard
@pheonix @NaahraTheScaled Microsoft: "Challenge accepted."
-
@pheonix oh wow, is it real? Saw it this morning and thought it was a joke.
-
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things lmao.
Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology
@pheonix
I'm old enough to remember how @adamshostack re-invented application security at Microsoft and basically for most of the industry. Holy $#!+ how the times have changed
-
@pheonix vibe coder doing vibe coding things
️ -
They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things lmao.
Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology
-
@pheonix@hachyderm.io the thing is that there are many, many safe existing libraries to properly render and parse #Markdown without exposing yourself to RCE.
But my guess is that some project manager at #Microsoft simply went like "nah, I don't want to wrestle with those licensing issues - just implement a Markdown parser/renderer from scratch, specifically tailored for all the legacy code we have in Notepad, with this over-stretched team of 3 contractors, and get it done by the end of the quarter".
@fabio @pheonix It's not a renderer issue. It doesn't pop up a warning before opening certain URL schemes when you ctrl+click on them. Is this an issue? I don't know, conceivably but not in most Windows 11 configuration ("default" isn't really a thing). you can get a t shirt for reporting things like this if you find that interesting
-
M mindtunes@troet.cafe shared this topic
