Home windows Notepad is now advanced sufficient to have a critical safety flaw
Abstract created by Sensible Solutions AI
In abstract:
- PCWorld experiences that Home windows Notepad’s new Markdown help function has launched a critical distant code execution vulnerability with a excessive CVSS rating of 8.8/7.7.
- The safety flaw permits malicious Markdown information to obtain and execute exterior code when opened, although it requires person interplay and social engineering ways.
- Microsoft at present has no resolution for this vulnerability, advising customers to keep away from downloading information from untrusted sources to stop potential assaults.
On the threat of going into old-man-yells-at-cloud mode, I keep in mind when Notepad was essentially the most fundamental textual content editor round. Some coders and writers favored this system—which comes included in each single model of Home windows (and earlier)—for that cause. However Microsoft has been constructing out Notepad ever because it killed off Wordpad… and now Notepad is advanced sufficient to help distant code execution. Neat.
For the uninitiated, distant code execution (RCE) is a safety vulnerability that permits an exterior program to be loaded and run with out the person’s permission or data. It’s a sort of assault that shouldn’t even be potential in a super-basic textual content editor. However with tons of latest options in Notepad—as much as and together with integration with “AI” through Copilot—it’s much more weak than it was. The most recent downside comes from Notepad’s help of Markdown, a fundamental formatting system, which was added in July of 2025.
The brand new situation was highlighted by Microsoft itself in a safety bulletin. It goes like this: the person downloads a file with Markdown-formatted textual content inside, then opens it with Notepad. Due to that Markdown help, a hyperlink seems with web-standard highlighting like this. Most customers would acknowledge that this hyperlink results in a web site… but it surely’s additionally potential for it to provoke a distant code obtain, which isn’t one thing Notepad might do even only a 12 months in the past. The distant code would then activate with the identical degree of permission because the Home windows person.
The issue will get a standardized CVSS rating of 8.8/7.7, making it a excessive safety situation for Microsoft with no present resolution. Happily, it requires a separate file obtain and really deliberate person interplay, so it takes a bit of labor to really execute an assault. (It will must be mixed with a little bit of social engineering and trickery for max effectiveness.) The nice previous “don’t obtain something from untrustworthy sources” recommendation applies right here.
This is a matter that earlier variations of Notepad didn’t have. However right here I’ve to say that simply since you’re utilizing a much less “trendy” various doesn’t imply you’re utterly protected. For instance, Notepad++ (a non-Microsoft open-source program that’s been in style with energy customers for many years) was just lately compromised by a focused assault on the app’s replace servers.
