| ▲ | Fiveplus 11 hours ago |
| We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline. For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege. At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?" |
|
| ▲ | bigfatkitten 8 hours ago | parent | next [-] |
| > At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?" They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer. |
| |
| ▲ | ThrowawayB7 5 hours ago | parent | next [-] | | If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results. | | |
| ▲ | vachina 4 hours ago | parent [-] | | AI is useful but these management type typically don’t know how to make it useful. | | |
| ▲ | bigstrat2003 an hour ago | parent [-] | | Now imagine that you are someone who doesn't even think AI is useful, and imagine just how much more infuriating it is to have it crammed in. Drives me up a wall. |
|
| |
| ▲ | tombert 3 hours ago | parent | prev | next [-] | | It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”. | |
| ▲ | est 4 hours ago | parent | prev | next [-] | | I think they came up the the exact right answer like: > How do I add more features to get a promotion | |
| ▲ | psychoslave 4 hours ago | parent | prev | next [-] | | But can it generate qrcode already? | |
| ▲ | sneak 8 hours ago | parent | prev [-] | | It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”. | | |
| ▲ | ThrowawayB7 5 hours ago | parent | next [-] | | Individual developers or even developer management doesn't get much of a say in product direction at large corporations. The product management folks are who decide what features go in and when. | | |
| ▲ | GuinansEyebrows 3 hours ago | parent [-] | | PMs have resumes too :) - Successfully led key efforts to modernize aging platform technologies - Directed integration of cutting-edge system-wide artificial intelligence functionality |
| |
| ▲ | zerkten 5 hours ago | parent | prev | next [-] | | Even if you talk to users, you can do it the wrong way. Big companies are incentivized by the stock market to care more about new users than existing ones because their only focus is growth. Growth can't be rooted in your existing users is a common feeling in product management circles. If you try to do things for people other than your existing users, then you end up doing odd stuff that at best is a mild annoyance. More likely you hurt their ability to continue using the app. | | |
| ▲ | wlesieutre 5 hours ago | parent [-] | | Exemplified by every website with a massive SIGN UP button and then a little 8 pt font log in tucked away somewhere underneath. Gee thanks for helping me find the button I'll use literally once and making me hunt for the one I'll need the other 99999 times I use this service. Existing users can go fuck themselves as long as new people are registering. Line go up! | | |
| ▲ | bradfitz 5 hours ago | parent [-] | | I can’t tell you how relieving it is to hear somebody else complain about this. This has been my pet peeve for ages. |
|
| |
| ▲ | whatsupdog 6 hours ago | parent | prev | next [-] | | Unjustified downvoting. You absolutely have a point. Not just software, also the gazillion UI/UX designers. They keep moving things around and changing colors and fucking things up just to justify their salaries. Case in point: Google maps. It was perfect 15 years ago. We don't need vomit inducing color changes every 2 years | |
| ▲ | jahsome 6 hours ago | parent | prev | next [-] | | And yet, if they were raising a Series A, they'd be lauded as "disruptors" | | | |
| ▲ | cyanydeez 7 hours ago | parent | prev [-] | | Microsoft is driving AI adoption. Why blame tge workers for this? | | |
| ▲ | wormpilled 6 hours ago | parent | next [-] | | Why can't Indian software developers stand up for themselves and say no? | | |
| ▲ | onion2k 6 hours ago | parent | next [-] | | Because there are plenty of developers who'll say yes, so anyone saying no is putting their ethics ahead of their livelihood. Few people will be willing to put their beliefs ahead of providing for their family. It's easy to say you will, and very hard to actually do it. | | |
| ▲ | eterm 6 hours ago | parent | next [-] | | That's what ethics are. If you don't make sacrifices for them they aren't ethics they're just conveniences. | | |
| ▲ | trinix912 5 hours ago | parent | next [-] | | This is easy to say until you're an immigrant worker in a foreign country - something one probably worked for their entire life up to that point - risking it all (and potentially wrecking the life of their entire family) just to stop some random utility from having a Copilot button. It's not "this software will be used to kill people", it's more like "there's this extra toolbar which nobody uses". In life you have to choose your battles. | | |
| ▲ | xantronix 5 hours ago | parent [-] | | I hadn't made more solid connections between the current state of software and industry, the subjugation of immigrants, and the death of the American neoliberal order until this comment thread but it here it lies bare, naked, and essentially impossible to ignore. With regards to the whole picture, there's no good or moral place to "RETVRN" to in a nostalgic sense. The one question that keeps ringing through my head as I see the world in constant upheaval, and my one refuge in meaning, technical craftsmanship, tumbling, is: Why did I not see this coming? |
| |
| ▲ | optymizer 5 hours ago | parent | prev [-] | | "why won't other people make sacrifices for me?" Because the society in US is arranged as a competition with no safety net and where your employer has a disproportionate amount of influence on your well being and the happiness of your kids. I'm not going to give up $1M in total comp and excellent insurance for my family because you and I don't like where AI is going. | | |
| ▲ | appreciatorBus 4 hours ago | parent [-] | | Just having the option of giving up $1 million in compensation put one far far far above meaningful worries about your well-being and the happiness of your kids. | | |
| ▲ | optymizer 4 hours ago | parent [-] | | Not really. We would have to downsize our life. I'll have to explain it to the wife: "well, you see, we cant live in this house anymore because AI in Notepad was just too much". I'll dial up my ethical and moral stance on software up to 11 when I see a proper social safety net in this country, with free healthcare and free education. And if we cant all agree on having even those vital things for free, then relying on collective agreement on software issues will never work in practice so my sacrifice would be for nothing. I would just end up being the dumb idealist. |
|
|
| |
| ▲ | appreciatorBus 4 hours ago | parent | prev | next [-] | | You can say exactly the same thing about the management and the shareholders. If they say no, someone else will say yes, so why blame them? | | |
| ▲ | optymizer 4 hours ago | parent | next [-] | | Your solution for us to all agree to do the same thing is not realistic for the same reason that recycling doesn't really work, why we have a myriad of programming languages and similar but incompatible hardware, etc. There is always someone who will take advantage of the prisoners dilemma. | |
| ▲ | onion2k 4 hours ago | parent | prev [-] | | They make the decision about what to say yes to. They can choose to do something else without it impacting their individual circumstances. |
| |
| ▲ | 6 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | mghackerlady 4 hours ago | parent | prev | next [-] | | It's a cultural thing. They'd much rather do what they think someone means than question authority | |
| ▲ | vachina 4 hours ago | parent | prev | next [-] | | Hard to say no to paycheck | |
| ▲ | 6 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | throwpoaster 7 hours ago | parent | prev [-] | | Microsoft is comprised of its workers. | | |
|
|
|
|
| ▲ | weinzierl 10 hours ago | parent | prev | next [-] |
| "For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text." Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed. I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight. |
| |
| ▲ | usrbinbash 7 hours ago | parent | next [-] | | As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score > and we have other battles we fight. Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain. | | |
| ▲ | MarleTangible 7 hours ago | parent | next [-] | | They also wanted to use the popularity of Notepad, so they replaced it with an AI bloatware version instead of creating a new app with extra features. | | | |
| ▲ | Aachen 4 hours ago | parent | prev | next [-] | | I would agree if it were RCE This definition in the first paragraph on Wikipedia matches my understanding of it as a security consultant: > The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). --https://en.wikipedia.org/wiki/Arbitrary_code_execution Issues in handling local files, whether they require user interaction or not, are just that Doesn't take away from the absurdity that notepad isn't a notepad but does extensive file contents parsing | |
| ▲ | mghackerlady 4 hours ago | parent | prev | next [-] | | For a good built in "done" text editor, theres apples textedit. It's barely changed since NeXTSTEP and works flawlessly and is FOSS. As much as I hate apple there's a reason I have GNUstep installed on most of my *nix boxes | |
| ▲ | breppp 5 hours ago | parent | prev [-] | | > Except no, we don't. notepad.exe was DONE SOFTWARE While 8.8 score is embarrassing, by no measure notepad was done software. It couldn't load a large text file for one, its search was barely functional, had funky issues with encoding, etc. Notepad++ is closer to what should be expected from an OS basic text editor | | |
| ▲ | bsza 5 hours ago | parent | next [-] | | What counts as "large"? I'm pretty sure at some point in my life I'd opened the entirety of Moby Dick in Notepad. Unless you want to look for text in a binary file (which Notepad definitely isn't for) I doubt you'll run into that problem too often. Also, I hope the irony of you citing Notepad++ [1] as what Notepad should aim to be isn't lost on you. My point being, these kinds of vulnerabilities shouldn't exist in a fucking text editor. [1] https://notepad-plus-plus.org/news/hijacked-incident-info-up... | | |
| ▲ | breppp 3 hours ago | parent | next [-] | | I know about the vulnerabilities in notepad++, however I was referring to the feature set. Regarding large, I am referring to log files for example. I think the issue was lack of use of memory mapped files, which meant the entire file was loaded to RAM always, often giving the frozen window experience | |
| ▲ | vel0city 4 hours ago | parent | prev [-] | | > What counts as "large"? Remote into a machine that you're not allowed to copy data out of. You only have the utilities baked into Windows and whatever the validated CI/CD process put there. You need to open a log file that has ballooned to at least several hundred megabytes, maybe more. Moby Dick is about 1MB of text. That's really not much compared to a lot of log files on pretty hot servers. I do agree though, if we're going to be complaining about how a text editor could have security issues and pointing to Notepad++ as an example otherwise, its had its own share of notable vulnerabilities even before this update hijacking. CVE-2017-8803 had a code execution vulnerability on just opening a malicious file, this at least requires you to click the rendered link in a markdown file. | | |
| ▲ | bsza 4 hours ago | parent [-] | | Oh right, generated files exist. Though logging systems usually have a rollover file size you can configure, should this happen to you in real life. Honestly I'm okay with having to resort to power tools for these edge cases. Notepad is more for the average user who is less likely to run into 100 MB text files and more likely to run into a 2 kB text file someone shared on Discord. | | |
| ▲ | vel0city 2 hours ago | parent [-] | | > Though logging systems usually have a rollover file size you can configure, should this happen to you in real life I get what you're saying. But if things were done right I probably wouldn't have to be remoting into this box to hunt for a log file that wasn't properly being shipped to some other centralized logging platform. |
|
|
| |
| ▲ | Romario77 4 hours ago | parent | prev | next [-] | | Notepad++ might be too much for a simple utility. Plus for many years Word was one of the main cash cows for MS, so they didn't want to make an editor that would take away from Word. And you could see how adding new things adds vulnerabilities. In this case they added ability to see/render markdown and with markdown they render links, which in this case allowed executing remote code when user clicks on a link. | | |
| ▲ | breppp 2 hours ago | parent [-] | | > Plus for many years Word was one of the main cash cows for MS, so they didn't want to make an editor that would take away from Word. Wordpad was the bundled rich text editor and was also a mess I don't think an improved notepad could have cannibalized Word |
| |
| ▲ | vbezhenar 5 hours ago | parent | prev [-] | | notepad.exe worked just fine. Notepad++ is a monster software. |
|
| |
| ▲ | dspillett 8 hours ago | parent | prev | next [-] | | > nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem I wish… Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic. Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted. Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end… | | |
| ▲ | josephg 7 hours ago | parent | next [-] | | > to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM Ah so that’s the trick! I’ve run into this problem a bunch of times in the wild, where some script emits csv which works on the developers machine but fails strangely with real world data. Good to know there’s a simple solution. I hope I remember your comment next time I see this! | | |
| ▲ | silon42 7 hours ago | parent [-] | | Excel CSV is broken anyway, since in some (EU, ...) countries it needs ; as separator. | | |
| ▲ | OptionOfT 6 hours ago | parent | next [-] | | That's not an excel issue. That's a locale issue. Due to (parts of?) the EU using then comma as the decimal separator, you have to use another symbol to separate your values. | | |
| ▲ | dspillett 5 hours ago | parent | next [-] | | Comma for decimal separator, and point (or sometimes 'postraphy) for thousands separator if there is one, is very common. IIRC more European countries use that than don't, officially, and a bunch of countries outside Europe do too. It wouldn't normally necessitate not using comma as the field separator in CSV files though, wrapping those values is quotes is how that would usually be handled in my experience. Though many people end up switching to “our way”, despite their normal locale preferences, because of compatibility issues they encounter otherwise with US/UK software written naively. | |
| ▲ | anthk 5 hours ago | parent | prev [-] | | Locales should have died long ago. You use plain data, stop parsing it depdending on wen your live. Plan9/9front uses where right long ago. Just use Unicode everywhere, use context-free units for money. | | |
| ▲ | dspillett 4 hours ago | parent [-] | | Locales are fine for display, but yes they should not affect what goes into files for transfer. There have always been appropriate control characters in the common character sets, in ASCII and most 8-bit codepages there are non-printing control characters that have suitable meanings to be used in place of commas and EOL so they could be used unescaped in data fields. Numbers could be plain, perhaps with the dot still as a standard decimal point or we could store non-integers as a pair of ints (value and scale), dates in an unambiguous format (something like one of the options from ISO8601), etc. Unfortunately people like CSV to be at least part way human-readable, which means readable delimiters, end-or-record markers being EOLs that a text editor would understand, and the decimal/thousand/currency symbols & date formatting that they are used to. |
|
| |
| ▲ | dspillett 5 hours ago | parent | prev [-] | | A lot of the time when people say CSV they mean “character separated values” rather than specifically “comma separated values”. In the text files we get from clients we sometimes see tab used instead of comma, or pipe. I don't think we've seen semicolon yet, though our standard file interpreter would quietly cope¹ as long as there is nothing really odd in the header row. -------- [1] it uses the heuristic “the most common non-alpha-numeric non-space non-quote character found in the header row” to detect the separator used if it isn't explicitly told what to expect |
|
| |
| ▲ | 7bit 7 hours ago | parent | prev [-] | | The very fact that UTF-8 itself discouraged from using the BOM is just so alien to me. I understand they want it to be the last encoding and therefore not in need of a explicit indicator, but as it currently IS NOT the only encoding that is used, it makes is just so difficult to understand if I'm reading any of the weird ASCII derivatives or actual Unicode. It's maddening and it's frustrating. The US doesn't have any of these issues, but in Europe, that's a complete mess! | | |
| ▲ | dspillett 5 hours ago | parent | next [-] | | > The US doesn't have any of these issues I think you mean “the US chooses to completely ignore these issues and gets away with it because they defined the basic standard that is used, ASCII, way-back-when, and didn't foresee it becoming an international thing so didn't think about anyone else” :) | |
| ▲ | capitainenemo 7 hours ago | parent | prev | next [-] | | From wikipedia... UTF-8 always has the same byte order,[5] so its only use in UTF-8 is to signal at the start that the text stream is encoded in UTF-8...
Not using a BOM allows text to be backwards-compatible with software designed for extended ASCII. For instance many programming languages permit non-ASCII bytes in string literals but not at the start of the file. ...
A BOM is unnecessary for detecting UTF-8 encoding. UTF-8 is a sparse encoding: a large fraction of possible byte combinations do not result in valid UTF-8 text.
That last one is a weaker point but it is true that with CSV a BOM is more likely to do harm, than good. | |
| ▲ | g-b-r 7 hours ago | parent | prev [-] | | Indeed, I've been using the BOM in all my text files for maybe decades now, those who wrote the recommendation are clearly from an English country | | |
| ▲ | dspillett 5 hours ago | parent [-] | | > are clearly from an English country One particular English-speaking country… The UK has issues with ASCII too, as our currently symbol (£) is not included. Not nearly as much trouble as non-English languages due to the lack of accents & such that they need, but we are still affected. |
|
|
| |
| ▲ | bsza 8 hours ago | parent | prev | next [-] | | There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money. When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust. | |
| ▲ | reyqn 9 hours ago | parent | prev | next [-] | | Embarrassing bugs are not RCEs. Also the industry should be more mature now, not less. But move fast and break things, I guess... | | |
| ▲ | sph 9 hours ago | parent [-] | | We have reached peak software stability, it's all gonna be downhill from here. | | |
| ▲ | cookiengineer 7 hours ago | parent | next [-] | | Peak software stability was Windows 7, that's why it's still used in industrial environments. | | |
| ▲ | trinix912 5 hours ago | parent [-] | | Funny how back then people claimed peak stability was Windows 2000. 10 years from now people will look at Windows 10 and claim that was peak stability. |
| |
| ▲ | fwgijcqywqeo 8 hours ago | parent | prev [-] | | We are living in the future! |
|
| |
| ▲ | nuancebydefault 9 hours ago | parent | prev | next [-] | | To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful. In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since. | | |
| ▲ | egeozcan 8 hours ago | parent [-] | | > unless... you understood Chinese and the alternative text would manage to persuade you to do something harmful Oh, here is the file I just saved... I see that it now tells me to rob a bank and donate the money to some random cult I'm just learning about. Let me make a web search to understand how to contact the cult leader and proceed with my plan! (luckily LLMs were not a thing back then :) ) |
| |
| ▲ | Vinnl 9 hours ago | parent | prev | next [-] | | https://en.wikipedia.org/wiki/Bush_hid_the_facts | | | |
| ▲ | g947o 9 hours ago | parent | prev | next [-] | | I am pretty sure it's possible to fix that entire category of bugs without introducing RCE vulnerabilities. | | | |
| ▲ | jama211 9 hours ago | parent | prev | next [-] | | Fascinating reading about that bug, thanks for sharing | |
| ▲ | croes 9 hours ago | parent | prev | next [-] | | > Now this is a solved problem Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters | |
| ▲ | direwolf20 9 hours ago | parent | prev [-] | | It's not solved, we just don't have to guess the encoding any more because it's always UTF-8. |
|
|
| ▲ | keepamovin 10 hours ago | parent | prev | next [-] |
| I couldn't agree more. A text editor exposing an attack surface via a network stack is precisely the kind of bloat that makes modern computing ultra-fragile. I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard. It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad |
| |
| ▲ | usrbinbash 7 hours ago | parent | next [-] | | Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer. | | |
| ▲ | keepamovin 7 hours ago | parent [-] | | That is completely valid for personal threat models, I rely on LUKS/BitLocker for my daily driver too. The specific gap this fills is 'Defense in Depth' + compliance. OS-level encryption (like FDE) is transparent once you log in. If you walk away from an unlocked machine, FDE does nothing. App-level encryption, however, ensures the specific sensitive notes remain encrypted on disk even while the OS is running and the user is authenticated. It's also portable as it allows the encrypted blob to be moved across untrusted transports (email, USB, cloud) without needing to set up an encrypted container/volume on the destination. For FIPS/NIST workflows, relying solely on the OS often isn't enough for the auditor; having the application control the keys explicitly satisfies the 'data protection' control regardless of the underlying storage medium. | | |
| ▲ | usrbinbash 5 hours ago | parent [-] | | > If you walk away from an unlocked machine ...then I might as well ask what happens when I walk away from the encrypting edior while a file is still open. User Error can happen with any encryption or security schema. Pointing out a trueism is not an argument. > It's also portable So is encrypting files using a specialized tool. I don't need my editor to do this. The entire point of my criticism, and indeed the entire point of this thread, is that software that should focus on a narrow task, tries to do way too much, leading to problems. | | |
| ▲ | dataflow 3 hours ago | parent [-] | | For what it's worth I understood the argument and think it is valid. It's one thing for the file you're working on to be vulnerable if you walk away leaving the editor open; it's another for all of your other files to be vulnerable too. It's O(1) vs. O(n). The difference is clearly not zero. |
|
|
| |
| ▲ | joshuaissac 6 hours ago | parent | prev | next [-] | | > FIPS-compliant bindings (OpenSSL) Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates. The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations. | | |
| ▲ | fuzzzerd 4 hours ago | parent [-] | | While I think this is good advice, the fact that it's true feels backward to me. "We have a legal or contractual obligation to be less secure than we otherwise would be." Just seems silly. | | |
| ▲ | tristor 4 hours ago | parent [-] | | Welcome to the reality of most of the "information security" business, which is mostly just compliance by checkbox. A significant proportion of encrypted Internet traffic that is transiting government agencies or major enterprises gets decrypted in flight for inspection, literally inserting a black-box with privileged MITM capabilities into otherwise secure protocols, purely for the purpose of checking a compliance box, and that's not even the worst sin. There's no insecurity like compliant cybersecurity :) |
|
| |
| ▲ | Muromec 9 hours ago | parent | prev [-] | | What does notepad need openssl for? | | |
| ▲ | keepamovin 9 hours ago | parent | next [-] | | Encryption at rest (AES-GCM). To meet FIPS 140-3, I can't roll my own crypto; I have to use a validated module. I actually only link OpenSSL on Linux, and then only if it's in FIPS-mode. On Windows (CNG) and macOS (CoreCrypto), I use the native OS primitives to avoid the dependency and keep the binary small. | |
| ▲ | absynth 9 hours ago | parent | prev | next [-] | | For the built-in web-browser instance it likely contains by now. | | |
| ▲ | daemoncoder 9 hours ago | parent [-] | | Ability to handle email coming soon. | | |
| ▲ | autoexec 9 hours ago | parent [-] | | But can it play MP3s? | | |
| ▲ | MonkeyClub 8 hours ago | parent [-] | | I'm sure eventually it will, it's law: Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs. | | |
| ▲ | oblio 8 hours ago | parent [-] | | > Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs. Every text editor, including Emacs [...]. | | |
| ▲ | anthk 5 hours ago | parent | next [-] | | Emacs has EMMS for music, reusing mpg123/mpv/ffplay and the like, but it can emulate Vim well enough too ;) Altough now I'm using 9front, Sam and Acme. I feel myself weird not using the keyboard but at least I understood structural expressions for Sam/Acme really fast, first with 'Vis' and next under Acme. Oh, Acme can do mail and news and a bunch more... because it has I/O since the beginning, you can plug anything into it, from commands to the text buffer to sockets. Even a crude HN client if you dare. | |
| ▲ | xaldir 3 hours ago | parent | prev [-] | | No, no, no, Emacs is a pretty good operating system, it just lacks a good text editor. |
|
|
|
|
| |
| ▲ | nicoburns 9 hours ago | parent | prev | next [-] | | Looks like it's using it for encryption. | |
| ▲ | w4yai 9 hours ago | parent | prev [-] | | Cryptography I guess |
|
|
|
| ▲ | gruez 6 hours ago | parent | prev | next [-] |
| >At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?" But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)? From MSRC: >How could an attacker exploit this vulnerability? >An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files. Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe |
| |
| ▲ | optymizer 5 hours ago | parent [-] | | That's why we have text editors, markdown viewers, image viewers, etc. You were never able to "click a link" in Notepad in the past. Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them. | | |
| ▲ | Rohansi 3 hours ago | parent [-] | | I think there are more text editors around that render clickable links than there are that don't. Even your terminal probably renders clickable links. Despite the scary words and score this wouldn't even be a vulnerability if people weren't so hard wired to click every link they see. It's not some URL parsing gone wrong triggering an RCE. Most likely they allowed something like file:// links which of course opens that file. Totally valid link, but the feature must be neutered to only http(s):// because people. |
|
|
|
| ▲ | numpad0 an hour ago | parent | prev | next [-] |
| > At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?" Everyone has to prove their worth by involving more people in ever embiggening trainwrecks every quarters in this day and age just to maintain employment, and without tangibly threatening anyone else's while at it. That's where the features are coming from. That's what needs to be fixed. Which also goes way beyond engineering. |
|
| ▲ | cafebabbe 10 hours ago | parent | prev | next [-] |
| Question is, did they even realize they added a network-aware rendering stack... |
| |
| ▲ | autoexec 8 hours ago | parent [-] | | Is it giving MS too much credit to suggest that they probably didn't just vibe code their new notepad? |
|
|
| ▲ | JCattheATM 4 hours ago | parent | prev | next [-] |
| Things started going downhill when they added a Bing option to one of the menus, which was only very recently after they added support for *nix newlines. A very mishandled product, but then the whole OS has been mishandled since 10. Some would say 7. |
|
| ▲ | mr_mitm 10 hours ago | parent | prev | next [-] |
| Unfortunately, code execution in text editors aren't a new thing. Vim had one published in 2019: https://github.com/numirias/security/blob/master/doc/2019-06... Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377 Neither vim nor Notepad are purely for displaying text though. |
| |
| ▲ | Someone1234 6 hours ago | parent | next [-] | | > Neither vim nor Notepad are purely for displaying text though. Up until fairly recently, that's exactly all Notepad did. Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat. | |
| ▲ | iso1631 9 hours ago | parent | prev [-] | | vim is a far larger program than a text editor. notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text". |
|
|
| ▲ | titzer 5 hours ago | parent | prev | next [-] |
| It'd be more hilarious if it weren't so sad. In just 10 years a disturbingly large number of huge development teams decided that making a GUI application using the old ways [1] was too hard and decided to ship an entire web engine (electron) to render 10 buttons. [1] (native GUI widgets? agggh) |
| |
|
| ▲ | kgwxd 8 hours ago | parent | prev | next [-] |
| The day calculator brought me to an MS Store login was the day I became a radical. |
| |
| ▲ | cube00 5 hours ago | parent [-] | | Mine was when they asked me to rate the calculator on the store. | | |
|
|
| ▲ | consp 11 hours ago | parent | prev | next [-] |
| > viewing data is a fundamental failure of the principle of least privilege. I read the cwe not cve, was wrong. It's still early in the morning... |
| |
| ▲ | seritools 10 hours ago | parent | next [-] | | You are mistaken: > The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user. | |
| ▲ | mwalser 10 hours ago | parent | prev [-] | | > If I read it correctly (but could be mistaken), it runs with setuid root I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges. | | |
| ▲ | dijit 10 hours ago | parent [-] | | People very often run notepad as administrator (anything launched from administrative powershell instances will run like this). In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default) And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it. Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files. | | |
| ▲ | patates 10 hours ago | parent | next [-] | | > And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it. I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS. | |
| ▲ | MarleTangible 7 hours ago | parent | prev [-] | | > Regardless, notepad is a very trusted application and is often run as Administrator. Sorry to say this, but Notepad was a very trusted application now. I cannot believe that such a core utility has a 8.8 CVE, it sounds like a joke tbh. | | |
| ▲ | dijit 7 hours ago | parent [-] | | A totally valid modification to the statement I made. These are sad times. |
|
|
|
|
|
| ▲ | AnonymousPlanet 10 hours ago | parent | prev | next [-] |
| I'm not sure if we should use "gold standard" together with the little piece of garbage that notepad.exe was for most of its existence. It has been the bane for anyone who had to do work on locked down Windows servers and had to, e.g., edit files with modern encodings. They fixed some of it in the meantime, but the bitter taste remains. |
| |
| ▲ | iugtmkbdfil834 7 hours ago | parent [-] | | You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh. |
|
|
| ▲ | addhochohoc 7 hours ago | parent | prev | next [-] |
| You goto go with the times man, goto write yourself a fulltime job with a legacy. |
|
| ▲ | TZubiri 9 hours ago | parent | prev | next [-] |
| EDIT: THE OLD NOTEPAD IS STILL IN WINDOWS AND WE CAN USE IT! https://learn.microsoft.com/en-us/answers/questions/3845356/... You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D OLD POST: This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install. Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever. But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed". |
| |
| ▲ | BLKNSLVR 8 hours ago | parent | next [-] | | I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on. I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page. | | |
| ▲ | mghackerlady 4 hours ago | parent [-] | | You can do that (probably even better) on linux with a Live Usb. I have a fedora one on my keychain since it has firefox and libreoffice included by default |
| |
| ▲ | MonkeyClub 8 hours ago | parent | prev | next [-] | | > the purity of "working with what's installed". Oh, a kindred spirit! I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset. (Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?) | | |
| ▲ | ygra 8 hours ago | parent | next [-] | | > Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe? Even with MSBuild 4. From the days when .NET Framework was an OS component and also the build tools (until Roslyn) were part of the Framework. | |
| ▲ | sneak 8 hours ago | parent | prev | next [-] | | Not having one’s configuration present is kneecapping yourself needlessly. If you’re going to have a custom config, you might as well have a custom executable. | | |
| ▲ | TZubiri 4 hours ago | parent [-] | | Oh but we have our configuration, it's all in the defaults baby. And what isn't like locking down /home/user permissions and increasing bash_history sizes, I keep it small and configurable in less than 2 minutes. (And server side only, which always requires more setup. Not saying that spending the first days on a new project configuring your custom setup with the company's stack is bad, especially if you are categorizing as employee and are looking for a multi year long run. But I tend to do small contracts, 1 to 6 months, and starting right away is a nice boost. |
| |
| ▲ | chrisjj 7 hours ago | parent | prev | next [-] | | > Did you know Windows comes with a bare bones C# 5 toolchain Shh, please. If MS find out, they'll add a parrot to "improve" it. | |
| ▲ | TZubiri 4 hours ago | parent | prev [-] | | I played with the preinstalled languages in windows before, but the legacy stuff dizzied me before llms existed. now that llms exist I am learning with dotnet, that now comes with windows, (or at least it comes with winget, and you can install a lot of kosher software, which is almost as good as having it preinstalled.) If I ever hop onto an older machine I'll use the gpt to see what I get, i recall there's vbscript, apparently a .net compiler+runtime, and I saw a js interpreter in very old OS too. A big inspiration in this realm is FogBugz historical "Wasabi". Their idea of compiling to PHP and c# i think it was, because it's what most OS come with, and their corpo clients can use it as it. It's in a joel spolsky blog post somewhere. |
| |
| ▲ | Baerbeisser 5 hours ago | parent | prev | next [-] | | There's still old tiny Metapad. And also more modern and fully featured (but still light) Notepad 2/3/4 and Notepad++.
For full replacement, i just renamed all instances to notepad.exe.bak, back then on Windows 7 & 10, and rename-replaced it with metapad.exe. Though, i guess with UWP apps (modern Notepad is one), it's just file associations nowadays. There's surely some mass-reassociate utility around? Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;) | | |
| ▲ | amlib 5 hours ago | parent [-] | | If he learns vim... gasp ...he will be cursed with having to install vim in every machine he touches for the rest of his life! :) | | |
| ▲ | TZubiri 4 hours ago | parent [-] | | It usually comes with linux, but nano is simpler and it doesn't teach you by holding you hostage until you learn :q! |
|
| |
| ▲ | autoexec 8 hours ago | parent | prev | next [-] | | EDIT.COM still works in dosbox | | |
| ▲ | ganzsz 7 hours ago | parent [-] | | Edit is ported to win11 and edit(.exe) should work in your shell of choice. https://learn.microsoft.com/en-us/windows/edit/ | | |
| ▲ | nottorp 7 hours ago | parent [-] | | But... did they add a http server in it? Mail reader? | | |
| ▲ | suprfsat 7 hours ago | parent | next [-] | | Rewrote it in Rust | | |
| ▲ | tormeh 3 hours ago | parent [-] | | That explains why it's so nice. Well, not really, but it does hint at it being new and built by someone who gives a damn. It's honestly far nicer for my use than vi or nano, which is annoying since I'm on Linux. Edit: Fedora has it available as "msedit". What a time to be alive. |
| |
| ▲ | naikrovek 7 hours ago | parent | prev [-] | | no, and the person at Microsoft that wrote it is adamant about keeping it as an editor only. | | |
| ▲ | nottorp 3 hours ago | parent [-] | | Management: add "AI" or we'll fire you and give the project to one who will. |
|
|
|
| |
| ▲ | funnybeam 7 hours ago | parent | prev | next [-] | | Except it keeps reverting to the new notepad every few days…. I’ve been fighting this for the last couple of weeks but it just doesn’t stick | | | |
| ▲ | oblio 8 hours ago | parent | prev [-] | | > This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install. What's your day job? Are you self employed? |
|
|
| ▲ | artemonster 10 hours ago | parent | prev | next [-] |
| tell this to level N-1 managers that want to get promoted by the only way of "launching features" |
|
| ▲ | hennell 10 hours ago | parent | prev | next [-] |
| A utility meant for viewing data? I don't think you understand what a text editor is. I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges. |
| |
| ▲ | ntoskrnl_exe 9 hours ago | parent [-] | | I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat. |
|
|
| ▲ | ceving 10 hours ago | parent | prev | next [-] |
| They should have called it Emacs. Then everybody would have known. |
|
| ▲ | 10 hours ago | parent | prev [-] |
| [deleted] |
