Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

  • ChickenLadyLovesLife@lemmy.worldEnglish
    1·
    11 hours ago

    The search order would end up finding your shortcut first.

    Sure, but in my case “Notepad” was a shortcut to actual Notepad.exe. It still should have worked.

    • bitjunkie@lemmy.worldEnglish
      2·
      11 hours ago

      iirc .lnk files didn’t pass along params to the actual executable, at least not in 9x

      src: first tech job was at a MS silver partner in the 90s