Windows Notepad App Remote Code Execution Vulnerability
cve.org660 points by riffraff 13 hours ago
660 points by riffraff 13 hours ago
By looking at their 2025 shareholder report (Look for the part below "NOTE 18"), Windows is only at the 5th place in terms of revenue source, even below the LinkedIn:
https://www.microsoft.com/investor/reports/ar25/index.html#
I can only think that they do not even care about Windows anymore, let alone Notepad...
It splits revenue out to 3 categories, "Productivity and Business Processes", "Intelligent Cloud", and "More Personal Computing", with windows as one of several things in the 3rd group. How did you figure it out as a 5th place revenue source?
Search for this: "Revenue, classified by significant product and service offerings"
Microsoft is Windows. Anyone saying otherwise is completely delusional.
Most of M$ office software has alternatives (Google Docs, OpenOffice...), M$ has no AI model and no AI labs to speak of, Github is constantly crashing and burning, Azure is garbage, and they uttery killed Xbox.
Oh and Linkedin is for actual psychopaths.
If Windows dies, all of their other junk that is attached to the platform will die as well.
Holding one's unsubstantiated personal beliefs above all evidence and rational argument is, in fact, delusion.
The evidence in TFA is that Microsoft is much more than Windows. So much more in fact that one can make a very reasonable argument that it's no longer a top priority for them.
The delusion is shutting your eyes, covering your ears, and screaming about how literally everyone except you is wrong.
> Microsoft is Windows. Anyone saying otherwise is completely delusional.
What's delusional is making an unsubstantiated claims and then dismissing any counterarguments before they're made.
> Most of M$ office software has alternatives (Google Docs, OpenOffice...)
True. Yet MS Office is still the de facto standard.
> Github is constantly crashing and burning
True. But that doesn't mean it isn't still a business strategy for MS.
> Azure is garbage
Also true. But that doesn't mean it isn't profitable: "Microsoft Cloud revenue increased 23% to $168.9 billion."
> and they uttery killed Xbox
Quite the opposite. Xbox is thriving: "Xbox content and services revenue increased 16%."
> Oh and Linkedin is for actual psychopaths.
That's subjective. And even if it were true, that's got nothing to do with profitability (eg look at Facebook).
> If Windows dies, all of their other junk that is attached to the platform will die as well.
First off, literally no-one is claiming Windows is going to "die".
Secondly, even if it were to "die", you've provided no evidence why their other revenue streams wouldn't succeed when it's already been demonstrated that those revenue streams are growing, and in some cases, have already overtaken Windows.
I know devs are a different market, but how many folks do we know daily drive Mac/Linux and use MS dev tools? VS Code, Typescript, .NET?
I think they'll do just fine if Windows dies on the vine. They'll keep selling all the same software; even for PC gaming they already have their titles on Steam.
> LinkedIn is for actual psychopaths
This is true. Peruse r/LinkedinLunatics to see them in action
This is why I have been saying that Microsoft is about to go the way of Sears when the AI bubble pops.
It is to do with link handling:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
> It is to do with link handling:
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
It's hard for me to imagine anyone balking at this feature. My core note taking workflow frequently involves:
1. Note about blah 2. Paste link to blah 3. Open that link later when reviewing my notes.
Blah is sometimes a web link, sometimes a link to a doc on my system, and sometimes a link to an item in my todo tracker. The better analogy is this is like a pencil having an eraser built in.
I use Drafts instead of Notepad, but if I used Notepad I would want to be able to easily open links in my notes. When I do find myself in Notepad, it's because I double clicked on a readme file that often contains links to resources I need.
But then notepad wouldn't be fetching the content. While I would still prefer notepad to be simple, and just making you copy paste the link, I would expect it to forward a link a browser, or something. I would not expect notepad to go out and fetch random content from the internet.
I was really hoping this CVE would have been caused by the Copilot integration into Notepad.
Calculator hasn't been infiltrated by Copilot yet, but I'm sure the day is coming.
> Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light.
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
You cannot claim you're "against feature bloat" while then in the same breath say that it is acceptable that a basic text editor have an entire additional render pipeline.
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
As I posted in a sibling, I thought the whole point of markdown was that it was simplified to the point that rendering it was easy to do from scratch. But we fumbled that because we (collectively) have no idea what we are doing.
The whole point of markdown is that it is easily readable and editable and the structure is evident without being rendered. That it doesn't strictly need to be rendered in all or any context is its utility.
>But we fumbled that because we (collectively) have no idea what we are doing.
Because, almost entirely, the software development industry has disclaimed all responsibility. It's super common for people to try to do shit they have no experience or skill at, push their effort to be adopted by others, then when it crashes and burns they have no accountability. If software "engineers" adopted the rigors and accountability and dignity of traditional engineering, the industry would be very different.
Just... no... not notepad.. Notepad should be the single-simplest of text editors, always has been, always should be... it should be "safe" much like "task manager" it should be as simple and bulletproof as any application in Windows are... these are essential tools that should never, ever, ever break.
MS has WordPad... fck around with that to make it support markdown or whatever else beyond rtf you want it to support. For that matter, it's probably that much more appropriate to do so.
Do I typically use Notepad, no.. not really... I actually use the new rust based edit terminal app more than Notepad. That said, I expect notepad to do one thing... edit text files, and to not break doing so. The ONLY* addition that might be acceptable would be a HEX Editor mode, so you can edit any file.
There are maybe 5-7 applications in Windows I expect to never break... task manager, notepad, registry editor, file explorer, command prompt are at the top of that list... these are the golden tools that should never fail, even if everything else does.
Old notepad is still there, it's just in System32 and you have to disable app execution alias for notepad.exe (apps > advanced app settings > app execution aliases)
The main problem with "Markdown support" in Notepad is that "Markdown support" is an ill-defined phrase. The closest thing to a well-defined definition is to support CommonMark but that is far, far from universal. Microsoft being Microsoft they'd probably still half-ass the job then just declare their new half-ass support a newly embraced-and-extended standard and leave it that way for the next 20 years, so asking Notepad to support Markdown is in practice asking for yet another effing Markdown dialect to come into existence and join the shambling hoard of other dialects.
Markdown is more properly understood as a family of related-but-mutually-incompatible standards, like CSV, and like "supporting CSV" is a lot more complicated than meets the eye. And supporting Markdown is already clearly non-trivial compared to the baseline of Notepad we've come to expect over the past few decades.
I might be dumb, but I thought the whole point of markdown was to get rid of all the bells and whistles of styling, having a really simplified and dumb format that only outlines structure. The follow-on being that many tools could parse, transform and render said markdown files in a way that makes sense for them. That way there's lots of tools that don't share code, but a shared definition of the format. I.e. markdown is a format (!?).
The problem is that overall we seem to have fumbled both the concept and the implementation. There a bunch of vaguely similar but incompatible markdowns and apparently rendering them is too hard and people immediately reach for an enormous pile of software (usually a web stack) to render it for them.
It should have been entirely possible for a person to write a markdown parser in a couple hours and e.g. render paragraphs, bulleted lists and tables into a terminal.
Goals aren't results. It was a goal for Markdown to be simple and universal. It is not a result.
You may be struggling a bit because you are reading some sort of moralization into the statement, some sort of emotional judgment, but there isn't any. It is clear that there does not exist a function that takes a span of "Markdown text" in and emits an abstract syntax tree that everyone agrees upon [1]. That's a fairly mathematical way of putting it, but even from an engineering point of view, the differences matter. Very quickly. It's not like you need to reach deep into crazy syntax to get to real, concrete disagreements between systems, you can hit problems with something as simple as
"_hello world _"
There are literally dozens of markdown formats now.
How we got there, why such a thing exists, as interesting as those questions may be none of them change the reality on the ground. There is no universal markdown to be appealed to. The closest is CommonMark, and that explicitly exists precisely because there was no consensus in the first place. If markdown was a format, CommonMark would never have been created.
[1]: Nor does its inverse, which at times is more frustrating to me than this. I have in mind what I want to do and either can't figure out how to do it or it simply can't be done.
Except notepad was the safe option for editing files and making sure what you see is what gets saved. Not any more?
Maybe I don't understand what markdown support will imply, but doesn't this hide text?
Like, if I have a h2 or url, its going to show as special text rather than the h2 tag?
There's a toggle in the status bar and the View menu that switches between displaying Markdown as formatted vs. plain text
Oh that's not so bad.
I mean... other than it creating vulnerability... and maybe is the beginning of the end of notepad as a plain text editor...
Is this a big deal? is it also not a problem with anything that renders clickable links? Browsers, email clients, whatever.
Is this not a problem with anything that offers a preview of markdown (or HTML, or anything with embedded links)?
The problem is notepad itself would download and execute bad stuff if you click the evil link. If you would paste that same link in a browser you'd be ok.
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
So Notepad will download and execute itself rather than launch an appropriate application to handle the URL? That was not clear to me.
What does “unverified protocols” mean? Does Windows have an exe:// url scheme that fetches and runs executable binaries or something?
Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE
But is it running ShellExecute on URIs?
I believe it is. Just tested it. You can make the link "C:\windows\system32\cmd.exe" and clicking it will launch the Command Prompt. I noticed you can't make it "C:\windows\system32\cmd.exe /c some-nefarious-thing"; it doesn't like the space. Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.
>Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.
1. You can use UNC paths to access remote servers via SMB
2. Even if it's local, it's still more useful than you make it out to be. For instance, suppose you downloaded a .zip file of some github project. The .zip file contains virus.exe buried in some subfolder, and there's a README.md at the root. You open the README.md and see a link (eg. "this project requires [some-other-project](subfolder\virus.exe)". You click on that and virus.exe gets executed.
> 1. You can use UNC paths to access remote servers via SMB
Relevant article from The Old New Thing: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31...
Programs (this is true for most mainstream operating systems) can become network facing without realizing it. I've sometimes found a bunch of Windows programs sometimes tends to assume that I/O completes "instantly" (even if async I/O has been common on Windows for a very long time) and don't have a good UX for cancelling long running I/O operations
Definitely; I didn't mean to underplay it. Here's a fun one:
[Free AI credits](C:\windows\system32\logoff.exe)
What if the space is url encoded %20 ?
That wouldn't work because Windows doesn't understand url-encoded sequences.
I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too
Windows 11 still includes the old notepad.exe in its Windows directory [0]. Windows just “helpfully” redirects it to the new app if you try to run it. You have to turn that off in Settings under “App execution aliases”. Then you get the old notepad.
[0] In the unlikely case that it isn’t there, you can add it through System > Optional Features > Add an optional feature.
Win9x Notepad in particular can only load files up to 64KB in size (edit: and supports only ANSI encoding, no Unicode). There were some actually useful additions to it up until Windows 10 or so - for example being able to handle LF (in addition to CRLF) line endings. But yeah, everything added in Windows 11 is just pure bloat.
I find notepad useful for sanitising clipboard content.
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
I somewhat regularly use the almost embarrassing key sequence Ctrl-C Ctrl-L Ctrl-V Ctrl-A Ctrl-X to sanitize text I’ve copied from a browser, using the address field to remove any formatting.
I explicitly stopped this habit so that I don't accidentally do it with sensitive data I don't want to go to my search engine provider's auto complete API.
Disabling remote search autocomplete is one of the first things I do when I setup a new browser instance. It's a privacy and security nightmare I don't want.
Same here. And I just noticed yesterday that Firefox had added and enabled a "Suggestions from sponsors" feature. Which I've now disabled, but presumably it's been sending anything I type into the address bar to Mozilla since 2021. I am tired of Mozilla but Chrome is very much worse.
ETA: I only noticed yesterday because a "sponsored suggestion" popped up when I was typing, which I've not seen before. So either they actually enabled it recently, or advertisers don't bid on the kinds of things I usually type.
> Disabling remote search autocomplete
I've always have a suspicion that even with auto complete off, some sort of telemetry or obscure feature is still leaking browser address bar text.
ctrl-k is for the search box
ctrl-l is for the address box
At most I want the address box to do is look up a dns name. Which can still be a risk if I were to hit "enter" with sensitive information which could in some cases get pushed out to my DNS provider (which is me, but then it's possible the address would be pushed out to another resolver, and will also be logged in an unexpected place)
I do a similar thing but use the start menu search, Ctrl-C, WIN, Ctrl-V, Ctrl-A, Ctrl-X. You can do it all in one hand and can get really fast, assuming the start menu doesn't lag behind. There's also the downside that it publishes all of your clipboard content to Bing search so maintain vigilance for confidential data...
You can Ctrl+shift+v to paste plain text in windows.
In some cases. In others, the application does whatever it wants.
And funnily enough, Office for Mac doesn’t allow you to do this, or at least it didn’t used to. I think I may’ve just noticed that it’s started working.
Doesn’t work for me. The absolute most infuriating thing is that copying text out of OneNote pastes as AN IMAGE. The only way around this is sanitizing the text in a notepad on the host machine itself.
> application does whatever it wants
Obsidian has a mildly infuriating default of opening previews with ctrl shift v keys instead of pasting with no formatting.
I always used browser address bar for that. But giving it a second thought, I uploaded the data to Google servers.
I have my firefox browser configured to keep using a separate search field and not make search queries in the url bar. It annoys a lot my partner if I let her use my computer to check something but it is frictionless once you unlearn bad habits.
Win+r, ctrl+v, ctrl+a, ctrl+x, esc does this without spawning a non ephemeral window
The reason being it is a plain text edit component, with a window around it, hence the limitation.
Yep. Back when I used to teach Windows programming in C commercially, the course exercise was to replicate notepad. It was surprising how many of its features you could implement in a week-long course, especially as many of our clients were no great shakes at C.
Notepad is so slow at loading large files that it crashing quickly is a feature.
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
I extracted out notepad.exe, calc.exe and mspaint.exe from Windows 7. I use them on Windows 11. They work perfectly.
For those of you on macOS who still want to benefit from arguably the best drawing application ever conceived, https://jspaint.app/ is THE way. Use it all the time when editing screenshots.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
my favorite "easter egg" hidden behind File -> Exit menu item of jspaint.app... I still remember how it blew my mind the first time I saw it!
Kind of a weird feeling that in order to get the better Windows 11 experience one requires programs from four operating system versions earlier.
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
Probably the only good thing about Google Docs becoming so popular in school/education use... All you need is a current Chromium based browser mostly.
The Web versions of Office, err MS 365, err CoPilot App.. (OMG!>!!>) ... aren't so bad to use in a Linux browser either.
I’d wish to use Linux.
But some things just don’t run there (properly).
Like Assetto Corsa EVO or SimHub.
Might as well just use Windows 7 if the security surface is this bad on later windows.
Windows 7 market share was actually growing for a while according to:
https://gs.statcounter.com/windows-version-market-share/desk...
Not sure what caused the inflection point in December 2025.
I have the mspaint.exe from the same version too :P. It complains about registry stuff on launch but other than that it works fine. There's no spray can in the modern paint!
They also added strange hacked on half-support for alpha-transparency in modern MS Paint. Meaning there is an alpha layer, and imported staff may utilize it, but if you need to do anything with that layer, you're basically SOL.
Better to have no alpha-transparency than whatever this is. At least old Paint just turned it white, and you could manipulate the white layer, with this working with the alpha layer is a nightmare.
Why does it show registry error?
I copied out mspaint.exe and some resource files as well were needed.
It runs for me without error.
I like paint shop pro, I use 4.12.
I need to just break down and find an old version of that... from before the Jasc sellout. IIRC, it ran via Wine without issue too.
I try to use Pinta/Paint.Net, but it's not quite as good as I remember psp being. I don't even hate the newer MS Paint... thought I'm only on windows for my work environment and even then.
Aside: I've been using my personal computer more, so I can work on a limited surface with docker and ai agent, then just bring in the components I'm working on when ready. My work environment is really locked down, no wsl, no docker... and it's like working in 2002 to some extent... It's literally easier for me to create stand-alone projects, work on a given feature in complete isolation... AI agent mostly to boilerplate the environment and most of the automated sanity tests, then I can focus on just what I'm working on.
There used to be a website that has these installable.
Update - it's just the games; I thought it had notepad and calc as well
I feel bad for anyone at MS who thought these applications needed anything more than bugfixes. Welcome to the Notepad team, the entire world would be better off it you did nothing at all!
I just don't get why they didn't just add these features to WordPad, where it would at least make more sense.
> (though the "about notepad" dialog shows the windows 11 version for some reason??)
It's because the program just calls a Windows API to display the version dialog of Windows itself.
Specifically, ShellAbout: https://learn.microsoft.com/en-us/windows/win32/api/shellapi...
How do you edit notes using Microsoft Copilot 365 for Notepad Copilot using that version?
you can also just uninstall the "new" notepad, at which point Windows will let you run the old one again (which is still shipped!).
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
What? Did they accidentally revert the improvements they already made to previously shipped versions of the old notepad program?
I think it's in reference to using Win9x notepad.exe as opposed to somewhere in the Win7-10 timeframe before they went over the top in Win11.
> What more does notepad need?
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
Apparently windows 11 still ships with classic notepad?
https://github.com/christian-korneck/classic-windows-notepad
> What more does notepad need?
AI! It needs AI. Did I guess it right?
Affermative. You have unlocked the following achievement: "Get a head start of 45 minutes when we start destroying humanity".
Since there'll be nowhere to run, could I be one the first? Don't wanna have to deal with the hassle of having to watch my loved ones being chased down.
If you go that far, metapad (from 98) is still better than notepad ever was. Also loads 100k lines files quickly.
Get notepad.exe from reactos' nightly ISO, it's in reactos.cab
Extract both the ISO and reactos.cab wth 7zip.
It needs far more features apparently. Tons more. That's why Notepad++ is popular. Which also had a severe security vulnerability recently. Which was actively exploited by some state actor like China.
That recent Notepad++ incident was a supply chain attack, not a vulnerability in the original program.
Strictly, no. But it was a vulnerability in the design of Notepad++, key elements here being the featureset that requires frequent updates and the lack of integrity checks during the upgrade process.
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
> in the design of Notepad++
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
Recently, I was pleasantly surprised to discover that the Microsoft Store has a built-in CLI with that exact functionality. You just run `store updates` to check for updates to store-managed apps, and you can target specific items with `store update <update-id>`. Of course, there's also winget for non-store applications (`winget upgrade`). I find them pretty handy as I have become quite used to managing my Linux installations with pacman over the past year or so. I discovered the store CLI completely by accident. It's not widely advertised.
I am driving an Ubuntu installation because it's what's my current employer mandates and coming from arch it feels like going back to Windows. Oh-my-zsh, opencode, gemini-cli, bun, pyenv, nvm... All installed with curl | bash which is not as bad as a .exe or .msi -- those are scripts you can still easily inspect -- but it's also bypassing the pkg manager.
But I guess that's what you get when you fragment your ecosystem in apt, snap and gnome extension manager. I need to master nix asap.
I'm not sure who I trust less to handle package integrity, the 3rd party hosting provider that Notepad++ used, or Microsoft.
A little tongue-in-cheek, but it's also an issue with windows, that it's owned by an untrustworthy company.
You can if you use the windows store. It's just that you usually install things outside of that, unlike in linuxes where you generally use the package manager that can handle updates for you
Plus Windows Store is not supported on all version of Windows particularly Datacenter versions - your most valuable assets !!
You can jump through a couple hoops to get WinGet working in Windows Server environments without much issue. IIRC, there's a single PS1 script you can run to do it, followed by a reboot.
The OS provided option can be bare bones, stable, secure and just utilitarian. This promotes having people choose their own tools for the features they want and not really expecting much other than reliability from the OS version. They didn’t need to mess with a good thing.
Ok, tabs, I do like the tabs.
A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
It was not compromised a few days ago, that's just when the attack was disclosed. The actual compromise and exploitation happened months ago for several weeks.
Well technically Unixes like Linux are a mountain of legacy and they are fine.
Windows is just a mountain of shit.
> a mountain of legacy and they are fine.
telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.
> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.
"Fine"
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
Because Linux (and other nixes) have their root in multiuser/time-share systems/servers. Protecting the system* from the users was important, and protecting users from other users equally as important. Protecting the user's $HOME from themselves/user-level programs wasn't as much of a concern, the user was assumed to be responsible enough to manage it themselves.
Linux /home is far from a free for all. flatpak, landlock, selinux, podman, firejail, apparmor, and systemd sandboxing all exist and can and do apply additional restrictions under /home
>Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc
Because a compromised user could infect shared executables and spread the infection. A bit harder to do with etc but for sure possible. The main target would be infecting bash and you are done from the get go.
>when literally the only files that matter to me are in /home, which is a free-for-all?
The home folder's read write is usually restricted to the user. The only scenario where this isn't the case to my knowledge is Ubuntu where others can read it, but this is just a huge flaw in Ubuntu that almost no other distro has.
> when literally the only files that matter to me are in /home, which is a free-for-all?
> The home folder's read write is usually restricted to the user.
Yeah, and that is the point. All user's programs including curl, wget, the web browser, anything else that connects to the network run as the user, and all the user's programs, by default, have access to everything inside ${HOME}.
Most people don't really care if /bin gets obliterated, but they do care dearly when /home/joe/photos/annies-2nd-birthday gets wiped.
Protecting a user from himself is hard. Protecting user from others is easy. Linux is influenced by unix and a lot of installations are servers. Where most programs run under their own accounts.
You can always have two user accounts: oblio and unsafe-oblio anf have a shared folder between the two for transferring files. Or invest into some backup software.
Just make another user bro. If you can't even create a user to run a program you distrust, the issue is not that windows doesn't provide sandboxes, it's that you don't use them
And no, it's not "a lot of work" it's the bare minimum
Yet 99% of the planet doesn't do "the bare minimum", bro.
We have supposedly all the smartest minds in the world working in tech and they haven't been able to create a simple, cheap, reliable cross platform solution for user data protection, backup and restore.
It's easier to blame users instead.
I rolled out a home-made backup script in Powershell - just a wrapper around wbadmin that backs up an entire system image and the a standard "Backup and Restore" backup on an external disk once I plugged it in.
I even signed it and everything.
The first point is fairly obvious and the latter point is not true (AppArmor etc)
Phew, I'm so relieved that now we have the One True Security Solution To Rule Them All, AppArmor.
Oh, what do you mean there's also SELinux, Snap, Flatpack, Docker, Podman, ...?
Unixes like Linux are not immune.
True, as systemd and wayland point out elegantly. But at least there is a modicum of choice there.
Ironic in a post about a CVE, as systemd offers more security options for starting services than anything else.
Install vim for Windows. I just use gvim as a notepad replacement. No plugins or anything required.
There's also good old edit... ;-)
https://github.com/microsoft/edit
Yeah, it's a re-creation of edit, but it's pretty great... also runs outside windows.
> At this point, what am I supposed to do other than uninstall Windows completely?
Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?
There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.
Visual Studio Code was not compromised.
Neither is Neovim, Sublime Text, Visual Studio, ed, etc... So what? This is still unacceptable
I still use VIM in the terminal. So far, I'm fine, but I assume there's gonna be some inevitable CI/CD compromises sooner or later.
>No real sandboxing, a mountain of legacy…
You have:
- Windows Sandbox (consumer-level sandbox) - Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access) - HyperV (VM hypervisor) - Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
>Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.
Windows has garbage defaults, but if you read through their documentation on enterprise architecture they definitely do not recommend having admin be the only account. They do in fact encourage separate accounts, multiple level of privileges with login restrictions across different types of machines, etc.
Many Linux distros are also guilty of this, disabling the root account by default and having the only user have sudo privileges, just like Windows.
Yes, however much more can be done in the user's own directory on Unix systems. Needing sudo raises some eyebrows, whereas most Windows users don't necessarily understand UAC, and almost never think twice about pressing "Yes" on the popups, which are seen more as an annoyance than something critical for safety. Some even completely disable UAC.
> Common practice, and even encouraged by Windows itself, is having the administrator account be the only account.
This hasn't been true since Vista. Kind of even before that with XP, it really showcased using multiple accounts to home users with a much more stylized user selection screen.
We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results.
AI is useful but these management type typically don’t know how to make it useful.
Now imagine that you are someone who doesn't even think AI is useful, and imagine just how much more infuriating it is to have it crammed in. Drives me up a wall.
It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”.
I think they came up the the exact right answer like:
> How do I add more features to get a promotion
It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”.
Individual developers or even developer management doesn't get much of a say in product direction at large corporations. The product management folks are who decide what features go in and when.
PMs have resumes too :)
- Successfully led key efforts to modernize aging platform technologies
- Directed integration of cutting-edge system-wide artificial intelligence functionality
Even if you talk to users, you can do it the wrong way. Big companies are incentivized by the stock market to care more about new users than existing ones because their only focus is growth. Growth can't be rooted in your existing users is a common feeling in product management circles. If you try to do things for people other than your existing users, then you end up doing odd stuff that at best is a mild annoyance. More likely you hurt their ability to continue using the app.
Exemplified by every website with a massive SIGN UP button and then a little 8 pt font log in tucked away somewhere underneath.
Gee thanks for helping me find the button I'll use literally once and making me hunt for the one I'll need the other 99999 times I use this service.
Existing users can go fuck themselves as long as new people are registering. Line go up!
I can’t tell you how relieving it is to hear somebody else complain about this. This has been my pet peeve for ages.
Unjustified downvoting. You absolutely have a point. Not just software, also the gazillion UI/UX designers. They keep moving things around and changing colors and fucking things up just to justify their salaries. Case in point: Google maps. It was perfect 15 years ago. We don't need vomit inducing color changes every 2 years
Microsoft is driving AI adoption. Why blame tge workers for this?
Why can't Indian software developers stand up for themselves and say no?
Because there are plenty of developers who'll say yes, so anyone saying no is putting their ethics ahead of their livelihood. Few people will be willing to put their beliefs ahead of providing for their family.
It's easy to say you will, and very hard to actually do it.
That's what ethics are. If you don't make sacrifices for them they aren't ethics they're just conveniences.
This is easy to say until you're an immigrant worker in a foreign country - something one probably worked for their entire life up to that point - risking it all (and potentially wrecking the life of their entire family) just to stop some random utility from having a Copilot button. It's not "this software will be used to kill people", it's more like "there's this extra toolbar which nobody uses".
In life you have to choose your battles.
I hadn't made more solid connections between the current state of software and industry, the subjugation of immigrants, and the death of the American neoliberal order until this comment thread but it here it lies bare, naked, and essentially impossible to ignore. With regards to the whole picture, there's no good or moral place to "RETVRN" to in a nostalgic sense. The one question that keeps ringing through my head as I see the world in constant upheaval, and my one refuge in meaning, technical craftsmanship, tumbling, is: Why did I not see this coming?
"why won't other people make sacrifices for me?"
Because the society in US is arranged as a competition with no safety net and where your employer has a disproportionate amount of influence on your well being and the happiness of your kids.
I'm not going to give up $1M in total comp and excellent insurance for my family because you and I don't like where AI is going.
Just having the option of giving up $1 million in compensation put one far far far above meaningful worries about your well-being and the happiness of your kids.