Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dark-star 11 hours ago

Yeah, clicking unverified links in a markdown document to launch an executable....

Clicking unknown links is always a bad idea, but a CVE for that? I dunno....

muvlon 11 hours ago | parent | next [-]

What other markdown viewers or editors support URL schemes that just execute code? And not in a browser sandbox but in the same security context notepad itself is running in.

mananaysiempre 3 hours ago | parent [-]

Funnily enough, the core Windows API here that brings with it support for every URL scheme under the sun is plain old ShellExecute() from the mid-90s IE-in-the-shell era when such support was thought reasonable. (I actually still think it’s reasonable, just not with the OS architectures we have now or had then.)

tosti 11 hours ago | parent | prev | next [-]

Clicking an unknown link shouldn't result in compromise. Fortunately, MS-Windows disallows running anything not vetted by MS unless you figure out how to bypass the "SmartScreen" filter. This filter is super annoying to many a techie or gamer, but for MS-Windows refusing to run "unknown" programs is a feature, not a bug.

So yes, MS will likely denounce this as not their problem and move on.

yrro 10 hours ago | parent | next [-]

This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.

tosti 10 hours ago | parent [-]

Funny that since the IE engine was plastered all over the place. Only 98lite could avoid it.

dark-star an hour ago | parent | prev [-]

so if you download a random EXE in your browser and run that, it can not result in compromise?

mrweasel 10 hours ago | parent | prev | next [-]

Even if you want to Notepad have clickable links, maybe not allow it to blindly allow every URL scheme known to man. It seems reasonable to limit it to do http/https and MAYBE mailto.

bayindirh 11 hours ago | parent | prev | next [-]

Notepad was the epitome of a single, well functioning app in Windows for the last eternity of two.

Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.

somat 9 hours ago | parent | prev | next [-]

I want to complain about the terminology used. It is probably just me, but RCE implies no user action required. It is a stupid, bad error yes, but because it requires the user to load a payload file and click on a link I would not really categorize it as a "remote" code execution type vulnerability.

But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.

Aachen 4 hours ago | parent [-]

Yes, that is the definition consistent with historical use of "RCE": a component is accessible in such a way that it is remotely reachable and you can get full code execution access on the machine via that bug (subject to whatever limits the process has within the OS, such as running as a certain user ID or seccomp or such). This attack is less like an RCE in a networked web server and more like bad file parsing in a PDF reader

Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)

I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation

xxs 11 hours ago | parent | prev [-]

clicking links should not be a security issue and yes the CVE is totally deserved: that's remote code execution.