We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
bigfatkitten 2 hours ago [-]
> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
sneak 2 hours ago [-]
It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”.
whatsupdog 10 minutes ago [-]
Unjustified downvoting. You absolutely have a point. Not just software, also the gazillion UI/UX designers. They keep moving things around and changing colors and fucking things up just to justify their salaries. Case in point: Google maps. It was perfect 15 years ago. We don't need vomit inducing color changes every 2 years
cyanydeez 1 hours ago [-]
Microsoft is driving AI adoption. Why blame tge workers for this?
wormpilled 8 minutes ago [-]
Why can't Indian software developers stand up for themselves and say no?
onion2k 1 minutes ago [-]
Because there are plenty of developers who'll say yes, so anyone saying no is putting their ethics ahead of their livelihood. Few people will be willing to put their beliefs ahead of providing for their family.
It's easy to say you will, and very hard to actually do it.
throwpoaster 56 minutes ago [-]
Microsoft is comprised of its workers.
jdsampayo 29 minutes ago [-]
All workers are equal, but some workers are more equal than others
weinzierl 4 hours ago [-]
"For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text."
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
dspillett 2 hours ago [-]
> nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
josephg 1 hours ago [-]
> to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM
Ah so that’s the trick! I’ve run into this problem a bunch of times in the wild, where some script emits csv which works on the developers machine but fails strangely with real world data.
Good to know there’s a simple solution. I hope I remember your comment next time I see this!
silon42 53 minutes ago [-]
Excel CSV is broken anyway, since in some (EU, ...) countries it needs ; as separator.
7bit 1 hours ago [-]
The very fact that UTF-8 itself discouraged from using the BOM is just so alien to me. I understand they want it to be the last encoding and therefore not in need of a explicit indicator, but as it currently IS NOT the only encoding that is used, it makes is just so difficult to understand if I'm reading any of the weird ASCII derivatives or actual Unicode.
It's maddening and it's frustrating. The US doesn't have any of these issues, but in Europe, that's a complete mess!
capitainenemo 37 minutes ago [-]
From wikipedia...
UTF-8 always has the same byte order,[5] so its only use in UTF-8 is to signal at the start that the text stream is encoded in UTF-8...
Not using a BOM allows text to be backwards-compatible with software designed for extended ASCII. For instance many programming languages permit non-ASCII bytes in string literals but not at the start of the file. ...
A BOM is unnecessary for detecting UTF-8 encoding. UTF-8 is a sparse encoding: a large fraction of possible byte combinations do not result in valid UTF-8 text.
That last one is a weaker point but it is true that with CSV a BOM is more likely to do harm, than good.
g-b-r 34 minutes ago [-]
Indeed, I've been using the BOM in all my text files for maybe decades now, those who wrote the recommendation are clearly from an English country
usrbinbash 1 hours ago [-]
As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
MarleTangible 46 minutes ago [-]
They also wanted to use the popularity of Notepad, so they replaced it with an AI bloatware version instead of creating a new app with extra features.
bsza 2 hours ago [-]
There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money.
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
reyqn 3 hours ago [-]
Embarrassing bugs are not RCEs. Also the industry should be more mature now, not less. But move fast and break things, I guess...
sph 3 hours ago [-]
We have reached peak software stability, it's all gonna be downhill from here.
cookiengineer 57 minutes ago [-]
Peak software stability was Windows 7, that's why it's still used in industrial environments.
fwgijcqywqeo 2 hours ago [-]
We are living in the future!
nuancebydefault 3 hours ago [-]
To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
egeozcan 2 hours ago [-]
> unless... you understood Chinese and the alternative text would manage to persuade you to do something harmful
Oh, here is the file I just saved... I see that it now tells me to rob a bank and donate the money to some random cult I'm just learning about.
Let me make a web search to understand how to contact the cult leader and proceed with my plan!
I am pretty sure it's possible to fix that entire category of bugs without introducing RCE vulnerabilities.
3 hours ago [-]
jama211 3 hours ago [-]
Fascinating reading about that bug, thanks for sharing
croes 3 hours ago [-]
> Now this is a solved problem
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
direwolf20 3 hours ago [-]
It's not solved, we just don't have to guess the encoding any more because it's always UTF-8.
keepamovin 4 hours ago [-]
I couldn't agree more. A text editor exposing an attack surface via a network stack is precisely the kind of bloat that makes modern computing ultra-fragile.
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.
The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.
usrbinbash 1 hours ago [-]
Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer.
keepamovin 45 minutes ago [-]
That is completely valid for personal threat models, I rely on LUKS/BitLocker for my daily driver too.
The specific gap this fills is 'Defense in Depth' + compliance. OS-level encryption (like FDE) is transparent once you log in. If you walk away from an unlocked machine, FDE does nothing.
App-level encryption, however, ensures the specific sensitive notes remain encrypted on disk even while the OS is running and the user is authenticated.
It's also portable as it allows the encrypted blob to be moved across untrusted transports (email, USB, cloud) without needing to set up an encrypted container/volume on the destination.
For FIPS/NIST workflows, relying solely on the OS often isn't enough for the auditor; having the application control the keys explicitly satisfies the 'data protection' control regardless of the underlying storage medium.
Muromec 3 hours ago [-]
What does notepad need openssl for?
keepamovin 3 hours ago [-]
Encryption at rest (AES-GCM).
To meet FIPS 140-3, I can't roll my own crypto; I have to use a validated module.
I actually only link OpenSSL on Linux, and then only if it's in FIPS-mode. On Windows (CNG) and macOS (CoreCrypto), I use the native OS primitives to avoid the dependency and keep the binary small.
absynth 3 hours ago [-]
For the built-in web-browser instance it likely contains by now.
daemoncoder 3 hours ago [-]
Ability to handle email coming soon.
autoexec 2 hours ago [-]
But can it play MP3s?
MonkeyClub 2 hours ago [-]
I'm sure eventually it will, it's law:
Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
oblio 2 hours ago [-]
> Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
Every text editor, including Emacs [...].
nicoburns 3 hours ago [-]
Looks like it's using it for encryption.
w4yai 3 hours ago [-]
Cryptography I guess
cafebabbe 4 hours ago [-]
Question is, did they even realize they added a network-aware rendering stack...
autoexec 2 hours ago [-]
Is it giving MS too much credit to suggest that they probably didn't just vibe code their new notepad?
Neither vim nor Notepad are purely for displaying text though.
Someone1234 20 minutes ago [-]
> Neither vim nor Notepad are purely for displaying text though.
Up until fairly recently, that's exactly all Notepad did.
Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.
iso1631 3 hours ago [-]
vim is a far larger program than a text editor.
notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".
kgwxd 2 hours ago [-]
The day calculator brought me to an MS Store login was the day I became a radical.
consp 5 hours ago [-]
> viewing data is a fundamental failure of the principle of least privilege.
I read the cwe not cve, was wrong. It's still early in the morning...
seritools 4 hours ago [-]
You are mistaken:
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
mwalser 4 hours ago [-]
> If I read it correctly (but could be mistaken), it runs with setuid root
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
dijit 4 hours ago [-]
People very often run notepad as administrator (anything launched from administrative powershell instances will run like this).
In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default)
And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files.
patates 4 hours ago [-]
> And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS.
MarleTangible 40 minutes ago [-]
> Regardless, notepad is a very trusted application and is often run as Administrator.
Sorry to say this, but Notepad was a very trusted application now. I cannot believe that such a core utility has a 8.8 CVE, it sounds like a joke tbh.
dijit 39 minutes ago [-]
A totally valid modification to the statement I made.
These are sad times.
addhochohoc 1 hours ago [-]
You goto go with the times man, goto write yourself a fulltime job with a legacy.
AnonymousPlanet 4 hours ago [-]
I'm not sure if we should use "gold standard" together with the little piece of garbage that notepad.exe was for most of its existence. It has been the bane for anyone who had to do work on locked down Windows servers and had to, e.g., edit files with modern encodings. They fixed some of it in the meantime, but the bitter taste remains.
iugtmkbdfil834 1 hours ago [-]
You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh.
TZubiri 3 hours ago [-]
EDIT: THE OLD NOTEPAD IS STILL IN WINDOWS AND WE CAN USE IT!
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
BLKNSLVR 2 hours ago [-]
I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on.
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
MonkeyClub 2 hours ago [-]
> the purity of "working with what's installed".
Oh, a kindred spirit!
I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.
(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)
ygra 2 hours ago [-]
> Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?
Even with MSBuild 4. From the days when .NET Framework was an OS component and also the build tools (until Roslyn) were part of the Framework.
chrisjj 1 hours ago [-]
> Did you know Windows comes with a bare bones C# 5 toolchain
Shh, please. If MS find out, they'll add a parrot to "improve" it.
sneak 2 hours ago [-]
Not having one’s configuration present is kneecapping yourself needlessly.
If you’re going to have a custom config, you might as well have a custom executable.
funnybeam 38 minutes ago [-]
Except it keeps reverting to the new notepad every few days….
I’ve been fighting this for the last couple of weeks but it just doesn’t stick
autoexec 2 hours ago [-]
EDIT.COM still works in dosbox
ganzsz 1 hours ago [-]
Edit is ported to win11 and edit(.exe) should work in your shell of choice.
But... did they add a http server in it? Mail reader?
suprfsat 53 minutes ago [-]
Rewrote it in Rust
naikrovek 55 minutes ago [-]
no, and the person at Microsoft that wrote it is adamant about keeping it as an editor only.
oblio 2 hours ago [-]
> This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
What's your day job? Are you self employed?
artemonster 4 hours ago [-]
tell this to level N-1 managers that want to get promoted by the only way of "launching features"
hennell 4 hours ago [-]
A utility meant for viewing data? I don't think you understand what a text editor is.
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
ntoskrnl_exe 3 hours ago [-]
I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat.
ceving 4 hours ago [-]
They should have called it Emacs. Then everybody would have known.
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
BLKNSLVR 1 hours ago [-]
> It is to do with link handling:
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
Hackbraten 1 hours ago [-]
Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
Someone1234 14 minutes ago [-]
You cannot claim you're "against feature bloat" while then in the same breath say that it is acceptable that a basic text editor have an entire additional render pipeline.
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
nottorp 1 hours ago [-]
Except notepad was the safe option for editing files and making sure what you see is what gets saved. Not any more?
PlatoIsADisease 36 minutes ago [-]
Maybe I don't understand what markdown support will imply, but doesn't this hide text?
Like, if I have a h2 or url, its going to show as special text rather than the h2 tag?
voidUpdate 4 hours ago [-]
I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too
TonyTrapp 4 hours ago [-]
Win9x Notepad in particular can only load files up to 64KB in size (edit: and supports only ANSI encoding, no Unicode). There were some actually useful additions to it up until Windows 10 or so - for example being able to handle LF (in addition to CRLF) line endings. But yeah, everything added in Windows 11 is just pure bloat.
SomeUserName432 4 hours ago [-]
I find notepad useful for sanitising clipboard content.
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
setopt 3 hours ago [-]
I somewhat regularly use the almost embarrassing key sequence Ctrl-C Ctrl-L Ctrl-V Ctrl-A Ctrl-X to sanitize text I’ve copied from a browser, using the address field to remove any formatting.
I explicitly stopped this habit so that I don't accidentally do it with sensitive data I don't want to go to my search engine provider's auto complete API.
theandrewbailey 2 hours ago [-]
Disabling remote search autocomplete is one of the first things I do when I setup a new browser instance. It's a privacy and security nightmare I don't want.
HugoTea 2 hours ago [-]
I do a similar thing but use the start menu search, Ctrl-C, WIN, Ctrl-V, Ctrl-A, Ctrl-X. You can do it all in one hand and can get really fast, assuming the start menu doesn't lag behind.
There's also the downside that it publishes all of your clipboard content to Bing search so maintain vigilance for confidential data...
andhuman 2 hours ago [-]
Have you tired using the run action instead to clean the data? Win+r
xnorswap 4 hours ago [-]
You can Ctrl+shift+v to paste plain text in windows.
sheiyei 3 hours ago [-]
In some cases. In others, the application does whatever it wants.
UqWBcuFx6NV4r 3 hours ago [-]
And funnily enough, Office for Mac doesn’t allow you to do this, or at least it didn’t used to. I think I may’ve just noticed that it’s started working.
SoKamil 2 hours ago [-]
I always used browser address bar for that. But giving it a second thought, I uploaded the data to Google servers.
hsbauauvhabzb 1 hours ago [-]
Win+r, ctrl+v, ctrl+a, ctrl+x, esc does this without spawning a non ephemeral window
literalAardvark 3 hours ago [-]
Notepad is so slow at loading large files that it crashing quickly is a feature.
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
pjmlp 4 hours ago [-]
The reason being it is a plain text edit component, with a window around it, hence the limitation.
zabzonk 3 hours ago [-]
Yep. Back when I used to teach Windows programming in C commercially, the course exercise was to replicate notepad. It was surprising how many of its features you could implement in a week-long course, especially as many of our clients were no great shakes at C.
leduyquang753 4 hours ago [-]
> (though the "about notepad" dialog shows the windows 11 version for some reason??)
It's because the program just calls a Windows API to display the version dialog of Windows itself.
I extracted out notepad.exe, calc.exe and mspaint.exe from Windows 7. I use them on Windows 11. They work perfectly.
jakub_g 4 hours ago [-]
For those of you on macOS who still want to benefit from arguably the best drawing application ever conceived, https://jspaint.app/ is THE way. Use it all the time when editing screenshots.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
Lex-2008 3 hours ago [-]
my favorite "easter egg" hidden behind File -> Exit menu item of jspaint.app... I still remember how it blew my mind the first time I saw it!
sheiyei 3 hours ago [-]
This wet my eyes. The times...
b3lvedere 49 minutes ago [-]
Kind of a weird feeling that in order to get the better Windows 11 experience one requires programs from four operating system versions earlier.
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
voidUpdate 4 hours ago [-]
I have the mspaint.exe from the same version too :P. It complains about registry stuff on launch but other than that it works fine. There's no spray can in the modern paint!
Someone1234 10 minutes ago [-]
They also added strange hacked on half-support for alpha-transparency in modern MS Paint. Meaning there is an alpha layer, and imported staff may utilize it, but if you need to do anything with that layer, you're basically SOL.
Better to have no alpha-transparency than whatever this is. At least old Paint just turned it white, and you could manipulate the white layer, with this working with the alpha layer is a nightmare.
tomNth 53 minutes ago [-]
I like paint shop pro, I use 4.12.
dgxyz 4 hours ago [-]
Might as well just use Windows 7 if the security surface is this bad on later windows.
duskdozer 4 hours ago [-]
How do you edit notes using Microsoft Copilot 365 for Notepad Copilot using that version?
sheiyei 3 hours ago [-]
How do you write without being able to read with that version?
e12e 60 minutes ago [-]
Apparently windows 11 still ships with classic notepad?
you can also just uninstall the "new" notepad, at which point Windows will let you run the old one again (which is still shipped!).
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
ptx 2 hours ago [-]
What? Did they accidentally revert the improvements they already made to previously shipped versions of the old notepad program?
szatkus 3 hours ago [-]
> What more does notepad need?
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
throwaway198846 4 hours ago [-]
I feel vindicated by reverting to the old windows 10 notepad.exe
gchamonlive 2 hours ago [-]
> What more does notepad need?
AI! It needs AI. Did I guess it right?
b3lvedere 43 minutes ago [-]
Affermative. You have unlocked the following achievement: "Get a head start of 45 minutes when we start destroying humanity".
gchamonlive 16 minutes ago [-]
Since there'll be nowhere to run, could I be one the first? Don't wanna have to deal with the hassle of having to watch my loved ones being chased down.
IshKebab 4 hours ago [-]
Support for Unix line endings at the very least.
cubefox 4 hours ago [-]
It needs far more features apparently. Tons more. That's why Notepad++ is popular. Which also had a severe security vulnerability recently. Which was actively exploited by some state actor like China.
leduyquang753 4 hours ago [-]
That recent Notepad++ incident was a supply chain attack, not a vulnerability in the original program.
SPICLK2 4 hours ago [-]
Strictly, no. But it was a vulnerability in the design of Notepad++, key elements here being the featureset that requires frequent updates and the lack of integrity checks during the upgrade process.
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
IsTom 4 hours ago [-]
> in the design of Notepad++
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
ampersandwhich 3 hours ago [-]
Recently, I was pleasantly surprised to discover that the Microsoft Store has a built-in CLI with that exact functionality. You just run `store updates` to check for updates to store-managed apps, and you can target specific items with `store update <update-id>`. Of course, there's also winget for non-store applications (`winget upgrade`). I find them pretty handy as I have become quite used to managing my Linux installations with pacman over the past year or so. I discovered the store CLI completely by accident. It's not widely advertised.
gchamonlive 2 hours ago [-]
I am driving an Ubuntu installation because it's what's my current employer mandates and coming from arch it feels like going back to Windows. Oh-my-zsh, opencode, gemini-cli, bun, pyenv, nvm... All installed with curl | bash which is not as bad as a .exe or .msi -- those are scripts you can still easily inspect -- but it's also bypassing the pkg manager.
But I guess that's what you get when you fragment your ecosystem in apt, snap and gnome extension manager. I need to master nix asap.
voidUpdate 4 hours ago [-]
You can if you use the windows store. It's just that you usually install things outside of that, unlike in linuxes where you generally use the package manager that can handle updates for you
delaminator 2 hours ago [-]
Plus Windows Store is not supported on all version of Windows particularly Datacenter versions - your most valuable assets !!
SPICLK2 4 hours ago [-]
I'm not sure who I trust less to handle package integrity, the 3rd party hosting provider that Notepad++ used, or Microsoft.
IsTom 4 hours ago [-]
A little tongue-in-cheek, but it's also an issue with windows, that it's owned by an untrustworthy company.
RobotToaster 4 hours ago [-]
Pretty sure winget does let you do that.
conductr 4 hours ago [-]
The OS provided option can be bare bones, stable, secure and just utilitarian. This promotes having people choose their own tools for the features they want and not really expecting much other than reliability from the OS version. They didn’t need to mess with a good thing.
Ok, tabs, I do like the tabs.
r2vcap 4 hours ago [-]
A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
dgxyz 4 hours ago [-]
Well technically Unixes like Linux are a mountain of legacy and they are fine.
Windows is just a mountain of shit.
nananana9 3 hours ago [-]
"Fine"
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
razighter777 41 minutes ago [-]
Linux /home is far from a free for all. flatpak, landlock, selinux, podman, firejail, apparmor, and systemd sandboxing all exist and can and do apply additional restrictions under /home
dgxyz 3 hours ago [-]
The first point is fairly obvious and the latter point is not true (AppArmor etc)
oblio 2 hours ago [-]
Phew, I'm so relieved that now we have the One True Security Solution To Rule Them All, AppArmor.
Oh, what do you mean there's also SELinux, Snap, Flatpack, Docker, Podman, ...?
StilesCrisis 29 minutes ago [-]
He did say "etc"...
TZubiri 2 hours ago [-]
>Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc
Because a compromised user could infect shared executables and spread the infection. A bit harder to do with etc but for sure possible. The main target would be infecting bash and you are done from the get go.
>when literally the only files that matter to me are in /home, which is a free-for-all?
The home folder's read write is usually restricted to the user. The only scenario where this isn't the case to my knowledge is Ubuntu where others can read it, but this is just a huge flaw in Ubuntu that almost no other distro has.
43 minutes ago [-]
oblio 2 hours ago [-]
> when literally the only files that matter to me are in /home, which is a free-for-all?
> The home folder's read write is usually restricted to the user.
Yeah, and that is the point. All user's programs including curl, wget, the web browser, anything else that connects to the network run as the user, and all the user's programs, by default, have access to everything inside ${HOME}.
Most people don't really care if /bin gets obliterated, but they do care dearly when /home/joe/photos/annies-2nd-birthday gets wiped.
dgxyz 4 minutes ago [-]
Backups FTW.
skydhash 17 minutes ago [-]
Protecting a user from himself is hard. Protecting user from others is easy. Linux is influenced by unix and a lot of installations are servers. Where most programs run under their own accounts.
You can always have two user accounts: oblio and unsafe-oblio anf have a shared folder between the two for transferring files. Or invest into some backup software.
direwolf20 3 hours ago [-]
Unixes like Linux are not immune.
dgxyz 3 hours ago [-]
True, as systemd and wayland point out elegantly. But at least there is a modicum of choice there.
jamespo 2 hours ago [-]
Ironic in a post about a CVE, as systemd offers more security options for starting services than anything else.
karel-3d 49 minutes ago [-]
Visual Studio Code was not compromised.
guidopallemans 30 minutes ago [-]
Visual Studio Code is the compromise
cookiengineer 55 minutes ago [-]
I still use VIM in the terminal. So far, I'm fine, but I assume there's gonna be some inevitable CI/CD compromises sooner or later.
agumonkey 4 hours ago [-]
we still need a mouse icon rce until we reach peak
TZubiri 2 hours ago [-]
>No real sandboxing, a mountain of legacy…
You have:
- Windows Sandbox (consumer-level sandbox)
- Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
- HyperV (VM hypervisor)
- Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
rmunn 5 hours ago [-]
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files."
I didn't even know Notepad would render Markdown.
BLKNSLVR 2 hours ago [-]
Notepad rendering other formats removes one of the specific reasons I use notepad: to strip the stupid formatting that all sorts of applications seem to want to attach to text these days.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
ddtaylor 3 hours ago [-]
Torture will continue until morale improves
TZubiri 2 hours ago [-]
I think it's very recent, I use it almost daily and only last week did I see a markdown file being rendered.
reddalo 5 hours ago [-]
I miss when the Notepad was doing what the Notepad is supposed to do: show a text file, plain and simple.
Borg3 4 hours ago [-]
Haha, yeah.. Im using Notepad2 actually, because for LOOONG time, notepad.exe could not display LF files correctly... and Notepad2 has a bit more features, but still.. clean and lean.
tosti 4 hours ago [-]
This was already better when the latest from MS was still called "* XP":
Wow that's a hit of nostalgia, I'd completely forgotten about metapad, but I loved it back in the day.
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
barosl 3 hours ago [-]
Oh wow, yes I remember now, I used to type `Alt+F` and then `S` immediately because Notepad didn't support `Ctrl+S` back then. Thanks for giving me nostalgia!
BLKNSLVR 2 hours ago [-]
I've still got the very fast muscle memory of "Alt-F S", I used to do it habitually in Word and Excel. Still do it occasionally, then having to then undo whatever it does now (luckily it's usually nothing), but sometimes it leaves the Alt press 'open' so the next letter I press does something unpredictable.
crummy 4 hours ago [-]
I used to overwrite c:\windows\notepad.exe with Metapad. At some point Windows security made this a pain though!
ubixar 16 minutes ago [-]
Notepad had one job, display text. Microsoft decided it needed an attack surface instead.
The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.
ruhith 1 hours ago [-]
The funny thing is browsers figured out years ago you need to warn users before launching random protocol handlers. Microsoft added clickable links to Notepad and just skipped that part entirely. It's not even about the feature creep, it's that they reinvented something browsers solved ages ago and somehow forgot why those safeguards existed in the first place.
kuboble 4 hours ago [-]
I used notepad as my default, simple text editor for ages.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
bstsb 5 hours ago [-]
i imagine it’s probably something to do with the massive scope creep recently, especially with AI and the Markdown features - they’ve tried to fit some of WordPad’s rich text features following its removal
darig 5 hours ago [-]
[dead]
consp 5 hours ago [-]
So what this means is every Windows program is now a cve nightmare (or goldmine, depending on view)?
veltas 4 hours ago [-]
Yeah the other day in calc.exe I pressed F7 in programmer mode to change to octal (F5 to F8 select Hex, Dec, Oct, Bin), and instead it asked if I was sure I wanted to enable caret browsing.
BLKNSLVR 2 hours ago [-]
One of the last straws that got me to migrate to Linux was how long it would take for calc.exe to open in Windows 10. Even on much older computers and much older version of Windows it was instant. Suddenly in the mid-2010's the calculator is so bloated you have to wait a few seconds for it to load? Fuck off.
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
ddtaylor 3 hours ago [-]
Oof. That's a special kind of stupid. I get how it happened, but like, they found a way to make calc bad while also bringing an obscure feature in modern browsers I hate with a passion.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
balazspapp 4 hours ago [-]
I've found calc's currency converter feature frightening.
a96 5 hours ago [-]
Always has been.
netsharc 5 hours ago [-]
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
fhd2 3 hours ago [-]
> Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
LiamPowell 3 hours ago [-]
It's in fact the opposite. Browsers show a popup that asks if you really intended to click a link with a non http/https handler, notepad does not.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
fhd2 1 hours ago [-]
Ah, got it. Very different from where I suspected the issue then.
jfaganel99 5 hours ago [-]
Notepad had one job... Seems like bringing markdown features killed it :)
latexr 29 minutes ago [-]
Something felt off about your comments, so I checked your account. You signed up almost six years ago, and in all that time made zero submissions and your only comments are these two on this thread? I’ve been seeing this more and more on HN. What exactly is going on here?
szszrk 2 hours ago [-]
Markdown? They shoved copilot into it.
jfaganel99 1 hours ago [-]
Yeah, way more than the good old Notepad :)
core1024 3 hours ago [-]
It looks like, after Microsoft discontinued WordPad, they want to implement more features into Notepad. If you want simple plain text editor you have to use msedit[1].
You can still open the real notepad, you just have to turn off a "feature" that makes running notepad.exe open the new notepad. Its called "execution alias" or something like that.
tomNth 47 minutes ago [-]
I just use the winxp wordpad.exe. (and calc paint notepad, and I use paint shop pro 4.12)
idoxer 4 hours ago [-]
We got notepad.exe RCE before GTA 6
Stevvo 1 hours ago [-]
Old notepad is still in Windows 11 at C:\Windows\notepad.exe
feverzsj 3 hours ago [-]
They could've just implemented it in webview2 with all the AI features they want.
richardfey 2 hours ago [-]
I feel like the process of carving out any meaning out of "QA" is complete.
It's cathartic, in its twisted way...
repelsteeltje 3 hours ago [-]
I'm frankly amazed that the majority of new laptops still come with Microsoft Windows.
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
dgxyz 4 hours ago [-]
Seems whatever they do they step in shit. They should stop doing stuff.
They spent the last few years entirely compromising their products rather than improving them.
muragekibicho 4 hours ago [-]
Exactly my predicament. My laptop reached EOL but I'm struggling to purchase a new one.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
dgxyz 3 hours ago [-]
Yeah it sucks. Got an MBP here which was my refuge from Windows. That's gone to hell too.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
LandR 2 hours ago [-]
As someone who would like to get a new PC (but a desktop) for coding, and is considering a mac, why would you never buy a mac for coding ?
I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.
muragekibicho 52 minutes ago [-]
1. I like my laptops with USB ports and removable RAM and disk. I love computers and opening up a mac is a bad experience.
2. It costs an arm and a leg to replace parts on a Mac when you travel outside the United States. Replacing the keyboard on my first macbook cost the same as the actual price. I learnt my lesson. I don't need that Apple garbage in my life.
ddtaylor 3 hours ago [-]
Do you have a moment to talk about Linux?
w4yai 3 hours ago [-]
Half of my software don't work on Linux. My job also depends on running PE in a legitimate (read not Wine) environment - and I don't want to spend half of my RAM running VMs.
What should I do ?
skydhash 8 minutes ago [-]
Multiple computers. I have an MBA for whenever I need to do a meeting or do online shopping. But my personal usage (95%) happens on openbsd. Work provides a MBP that only has work stuff and only opened between work hours.
sbt567 2 hours ago [-]
One day I'm trying a modified Windows (bloat stripped) from team-os. And the difference is night and day. My old laptop finally can run Windows 10!
I wonder though if there are more open and trusted modified Windows being developed out there because trying random modified Windows in team-os is not getting me some confidence
dgxyz 3 hours ago [-]
I had that problem about 20 years ago. I changed the job. I know that's an extreme position but to be tied to a steaming pile of crap is a career risk. I've seen people go down with ships in that way before and it scared me.
petepete 2 hours ago [-]
If you have to use Windows, just grit your teeth and use it.
Thankfully I don't.
direwolf20 3 hours ago [-]
Install Linux
33 minutes ago [-]
lpcvoid 4 hours ago [-]
8.8 RCE CVE in notepad.exe. Well done microslop
31337Logic 57 minutes ago [-]
Actually, the big red flag for me was the removal of "My Computer".
Folks, you might still think it's "your computer" but Microsoft clearly doesn't.
You've got something they want and they will stop at nothing to take it from you.
This should be treated as an all-out war.
larodi 4 hours ago [-]
use SublimeText, it is perhaps faster now than the stock Notepad
xnorswap 3 hours ago [-]
As much as I used to love Sublime, the version switching caught me out which burned me a bit, even if admittedly my v2 key lasted an unreasonable time through the version 3 beta, but I don't want to risk buying a v4 key without a clear roadmap of when they might switch to version 5.
skydhash 3 minutes ago [-]
It’s $99 for something that is almost 5 years old at that point.
outime 4 hours ago [-]
I can definitely vouch for this! I've been using it for many years and it's been essentially the same the whole time: fast, lean and working on all operating systems.
Krssst 3 hours ago [-]
Combined with LSP I find it to be quite a good IDE too. Handles extremely large source trees quite well.
chrisjj 3 hours ago [-]
> Product
> Windows Notepad
Disambiguation urgently needed.
hdgvhicv 4 hours ago [-]
So notepad now renders links, then when clicks execute the code on those links (not just loading a website in a browser for example)?
ankurdhama 3 hours ago [-]
My assumption here is that if the link is web link it will open that link in web browser but Windows (and other OSes) have custom URL handlers that open whatever app is registered for that URL and that app may have issues that causes it to download and run arbitrary code.
yellow_lead 4 hours ago [-]
I'd now like to see a RCE in MS Paint or Calculator, if the exploit finder is reading this.
st_goliath 4 hours ago [-]
Up next: forgotten Piet[1] autorun feature discovered in MS Paint. Customers complain after removal, insist they have existing legacy applications depending on it.
In the past I would have defended Microsoft for this, somehow.
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
__bax 5 hours ago [-]
Just now Notepad integrates very useful copilot assistant... What can go wrong
g947o 3 hours ago [-]
To be fair this has more to do with Markdown than anything else.
Although I approve of neither feature. notepad should stick with what it does well.
eur0pa 4 hours ago [-]
Good job!
jmyeet 2 hours ago [-]
I found a simpler explanation for what's going on [1].
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
Yeah, clicking unverified links in a markdown document to launch an executable....
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
muvlon 5 hours ago [-]
What other markdown viewers or editors support URL schemes that just execute code? And not in a browser sandbox but in the same security context notepad itself is running in.
tosti 5 hours ago [-]
Clicking an unknown link shouldn't result in compromise. Fortunately, MS-Windows disallows running anything not vetted by MS unless you figure out how to bypass the "SmartScreen" filter. This filter is super annoying to many a techie or gamer, but for MS-Windows refusing to run "unknown" programs is a feature, not a bug.
So yes, MS will likely denounce this as not their problem and move on.
yrro 4 hours ago [-]
This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.
tosti 4 hours ago [-]
Funny that since the IE engine was plastered all over the place. Only 98lite could avoid it.
bayindirh 5 hours ago [-]
Notepad was the epitome of a single, well functioning app in Windows for the last eternity of two.
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
mrweasel 4 hours ago [-]
Even if you want to Notepad have clickable links, maybe not allow it to blindly allow every URL scheme known to man. It seems reasonable to limit it to do http/https and MAYBE mailto.
xxs 5 hours ago [-]
clicking links should not be a security issue and yes the CVE is totally deserved: that's remote code execution.
somat 3 hours ago [-]
I want to complain about the terminology used. It is probably just me, but RCE implies no user action required. It is a stupid, bad error yes, but because it requires the user to load a payload file and click on a link I would not really categorize it as a "remote" code execution type vulnerability.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
avaer 4 hours ago [-]
You can literally one-shot Opus 4.6 to make a better, faster, safer, more secure notepad.exe than the one that comes with Windows.
This isn't an AI slop problem.
g947o 3 hours ago [-]
Well, it might be "more secure" in the sense of "no hacker will use it as an attack vector", not necessarily "it is free of security of security bugs".
egorfine 4 hours ago [-]
Tools are almost never the problem.
The application of tools is.
avaer 3 hours ago [-]
I 100% agree. I'm just trying to point out the problem isn't Microsoft AI slopping their software. Even if you slopped it, the software could turn out better than what they're putting out.
There must be something much worse than slop going on to get to this point.
szszrk 2 hours ago [-]
Notepad and mspaint have now copilot integration. With full authentication integration that will likely fail for people in corporate environment.
That's a slop if you ask me. Even if it wasn't vibe coded, it now want's me to vibe use it. Who the hell wanted that.
deaux 2 hours ago [-]
It's good ole enshittification, which became common at least a decade before the term vibe coding was coined.
Rendered at 13:09:39 GMT+0000 (Coordinated Universal Time) with Vercel.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
It's easy to say you will, and very hard to actually do it.
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
Ah so that’s the trick! I’ve run into this problem a bunch of times in the wild, where some script emits csv which works on the developers machine but fails strangely with real world data.
Good to know there’s a simple solution. I hope I remember your comment next time I see this!
It's maddening and it's frustrating. The US doesn't have any of these issues, but in Europe, that's a complete mess!
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
Oh, here is the file I just saved... I see that it now tells me to rob a bank and donate the money to some random cult I'm just learning about.
Let me make a web search to understand how to contact the cult leader and proceed with my plan!
(luckily LLMs were not a thing back then :) )
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad
Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.
The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.
The specific gap this fills is 'Defense in Depth' + compliance. OS-level encryption (like FDE) is transparent once you log in. If you walk away from an unlocked machine, FDE does nothing.
App-level encryption, however, ensures the specific sensitive notes remain encrypted on disk even while the OS is running and the user is authenticated.
It's also portable as it allows the encrypted blob to be moved across untrusted transports (email, USB, cloud) without needing to set up an encrypted container/volume on the destination.
For FIPS/NIST workflows, relying solely on the OS often isn't enough for the auditor; having the application control the keys explicitly satisfies the 'data protection' control regardless of the underlying storage medium.
To meet FIPS 140-3, I can't roll my own crypto; I have to use a validated module.
I actually only link OpenSSL on Linux, and then only if it's in FIPS-mode. On Windows (CNG) and macOS (CoreCrypto), I use the native OS primitives to avoid the dependency and keep the binary small.
Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
Every text editor, including Emacs [...].
Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377
Neither vim nor Notepad are purely for displaying text though.
Up until fairly recently, that's exactly all Notepad did.
Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.
notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".
I read the cwe not cve, was wrong. It's still early in the morning...
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default)
And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files.
I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS.
Sorry to say this, but Notepad was a very trusted application now. I cannot believe that such a core utility has a 8.8 CVE, it sounds like a joke tbh.
These are sad times.
https://learn.microsoft.com/en-us/answers/questions/3845356/...
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
Oh, a kindred spirit!
I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.
(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)
Even with MSBuild 4. From the days when .NET Framework was an OS component and also the build tools (until Roslyn) were part of the Framework.
Shh, please. If MS find out, they'll add a parrot to "improve" it.
If you’re going to have a custom config, you might as well have a custom executable.
I’ve been fighting this for the last couple of weeks but it just doesn’t stick
https://learn.microsoft.com/en-us/windows/edit/
What's your day job? Are you self employed?
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
Like, if I have a h2 or url, its going to show as special text rather than the h2 tag?
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
It's because the program just calls a Windows API to display the version dialog of Windows itself.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
Better to have no alpha-transparency than whatever this is. At least old Paint just turned it white, and you could manipulate the white layer, with this working with the alpha layer is a nightmare.
https://github.com/christian-korneck/classic-windows-notepad
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
AI! It needs AI. Did I guess it right?
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
But I guess that's what you get when you fragment your ecosystem in apt, snap and gnome extension manager. I need to master nix asap.
Ok, tabs, I do like the tabs.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
Windows is just a mountain of shit.
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
Oh, what do you mean there's also SELinux, Snap, Flatpack, Docker, Podman, ...?
Because a compromised user could infect shared executables and spread the infection. A bit harder to do with etc but for sure possible. The main target would be infecting bash and you are done from the get go.
>when literally the only files that matter to me are in /home, which is a free-for-all?
The home folder's read write is usually restricted to the user. The only scenario where this isn't the case to my knowledge is Ubuntu where others can read it, but this is just a huge flaw in Ubuntu that almost no other distro has.
> The home folder's read write is usually restricted to the user.
Yeah, and that is the point. All user's programs including curl, wget, the web browser, anything else that connects to the network run as the user, and all the user's programs, by default, have access to everything inside ${HOME}.
Most people don't really care if /bin gets obliterated, but they do care dearly when /home/joe/photos/annies-2nd-birthday gets wiped.
You can always have two user accounts: oblio and unsafe-oblio anf have a shared folder between the two for transferring files. Or invest into some backup software.
You have:
- Windows Sandbox (consumer-level sandbox) - Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access) - HyperV (VM hypervisor) - Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
I didn't even know Notepad would render Markdown.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
https://liquidninja.com/metapad/
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
[1]https://github.com/microsoft/edit
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
They spent the last few years entirely compromising their products rather than improving them.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.
2. It costs an arm and a leg to replace parts on a Mac when you travel outside the United States. Replacing the keyboard on my first macbook cost the same as the actual price. I learnt my lesson. I don't need that Apple garbage in my life.
What should I do ?
I wonder though if there are more open and trusted modified Windows being developed out there because trying random modified Windows in team-os is not getting me some confidence
Thankfully I don't.
This should be treated as an all-out war.
> Windows Notepad
Disambiguation urgently needed.
[1] https://en.wikipedia.org/wiki/Esoteric_programming_language#...
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
Although I approve of neither feature. notepad should stick with what it does well.
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
[1]: https://cybersecuritynews.com/windows-notepad-rce-vulnerabil...
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
So yes, MS will likely denounce this as not their problem and move on.
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
This isn't an AI slop problem.
The application of tools is.
There must be something much worse than slop going on to get to this point.
That's a slop if you ask me. Even if it wasn't vibe coded, it now want's me to vibe use it. Who the hell wanted that.