Why is Microsoft updating their text editors!? | TheStandup

Do we want to get to the main topic? This Yes. [laughter] >> main topic. 40 minutes in. Yeah. >> Uh anyways, sorry. Today on the standup, we are going to have Casey Miratory give us the lowdown on Notepad and Notepad++. If you are not familiar, there has been some big news in both of the old pads. And so, Casey, why don't you take this? >> I mean, big big news might be saying a little bit much. They both had security exploits is really what was kind of weird. And the reason normally we probably wouldn't be talking about it if it weren't for the fact that it's kind of just getting absurd now that like both of the Notepad apps for Windows both had security exploits in like the last 12 months. Uh which is just kind of a little bit weird and you're just like how are how have we gotten to the place where like the text editor is regularly having security exploits. So, I'll start with regular Notepad, which is just the one that comes bundled with Windows. That's the one that you're probably most likely to use because it comes directly from Microsoft and you don't have to have installed it. It's just going to be there, right? So, this one's kind of nuts. And actually, I'm I'm sort of glad that I read up on this one because I didn't actually know this fact about Windows. I maybe could have guessed it had I thought really hard, but I might not have because I might have been like, "Well, surely no one would do that." Um, [laughter] >> you underestimate Microsoft, my friend. >> And I was like, "Okay, I guess uh yeah, lesson learned." So anyway, so what happens is, uh, in Notepad, in normal Notepad now, they've sort of started adding features, which is exactly what you don't want someone to do to a Notepad, right? Like the whole point of Notepad is it's just this like really crappy text editor and you can kind of breathe a sigh of relief when you fire it up because it's just not going to do anything, right? So you kind of would have hoped that like, oh, if I'm going to open this file, nothing could possibly go wrong because it's Notepad. It doesn't have anything in it. Can't do anything. It's fine. But they've been steadily adding features to Notepad. So now that's not true anymore, right? It's got co-pilot integration and all this other stuff. Now >> that's what I need. >> Yeah. So now if you open up Notepad, it's like anything goes. It's just like opening up Microsoft Word or something, who knows how much security uh snafoods could be hiding. So, one of the things that they did is if you open a markdown file in Notepad, now normally you'd think, well, it's just notepad, so if I open a markdown file, it's going to show it as a text file. But no, it will actually do the markdown parsing in Notepad, I guess. And now, I have never noticed this myself. I've never used Notepad to open a markdown. I didn't even know it did that. >> Same. Apparently it does, right? And one of the things that it does when it parses the markerdown file is that it properly obeys that like parentheses bracket syntax for linking where you can basically put in like here's a URL of some kind and here's the display text that I want for it. It will actually do that conversion and properly display that in the notepad so that you can kind of just click on links and they will, you know, it'll take you to the links. Now, here is where the problem begins. The way that they shipped this feature is like mo [laughter] >> Oh my god. >> So, >> Casey, are you okay? Do we need to like do we have do we need like a personal chat right now? [laughter] >> Yeah. Here, Casey, I can make you feel a lot better. I actually do have a copy of uh the secure notepad. It's right here. I got it right [laughter] here. This is This is super secure. I've got >> Yeah, you could you could have fit secur one online. >> No mistakes. >> No mistakes. Anyways, go ahead. >> Hey, is that HTTP? Get that out of here. That's not how we order coffee. We order coffee via ssh terminal.shop. Yeah, you want a real experience. You want real coffee? You want awesome subscriptions so you never have to remember again? Oh, you want exclusive blends with exclusive coffee and exclusive content? Then check out Kron. You don't know what SSH is? Well, maybe the coffee is not for you. [singing and music] >> So, the way that they they shipped this feature, uh, anyone that mo this will be lost on most of you, but anyone who's been like a longtime Windows programmer, they will be they will just they won't they'll have the face that I just had on my face. They will have that on their face, too. So the way that they shipped this feature was they do the markdown parsing as you would expect and they produce the like URL. They they produce the like string the display string like you would in markdown and they take whatever the URL would have been and they save just that raw string. Basically they just keep that. When the user clicks on the link, literally they call shell execute exw and [laughter] just pass that through. >> Oh man. Hey Gabby, [laughter] >> how's that even pass? Like is it like security audits when they like do this stuff? >> I don't believe it. >> Yes. >> And it's hidden, right? You can't see what it is because it's it's hidden under >> Yeah. I mean it's not going to tell you what it it's just going to pass it to shell execute just that's it right so it's just like they fill out you can actually go see uh the people have decompiled the code so they you can actually go see it's like yep it fills out the shell x uh w like inferstruct it sets the command to open and just just blam the string is just [laughter] there's the string like have a party open right >> wow >> so basically what this means is that anybody who, you know, was unaware because like normally you wouldn't think that's what it would do. Like normally you'd be like, "Oh, this is going to go to a web like this will go to a web browser and the web browser will interpret the URL. So how risky could it possibly be? It's no different than if I was just clicking a link on a website, right?" No, you can literally put anything you want in there like file slash the path to something you want to run and it will just run with your permissions [laughter] on your machine right there. No web browser necessary, right? I tried I'm trying in my head to come up with a reason why that happened and like I can't even come up with one. >> Well, I'm trying to come up with how it was allowed to happen. That's the >> So So that's just in there, right? And the only real saving grace here. So like that's really bad. Like that just should never I mean that's not there's people there's apologists who like replied to the tweet that I made about this who were like well I mean the user clicked on the link. I'm like no no no I don't think you understand the user clicked on the link is true for every security exploit that's ever occurred. Like every security [laughter] exploit somebody at some point installed something even if it's the operating system. And you can't be like, "Well, they installed an operating system on the computer, so it's their fault that eventually it got hacked." Like, no. >> They clicked accept on the terms and conditions, so therefore. >> Yes. Like the user is if the user clicks on a link, it's the program's responsibility to ensure that it's going to just open the link in a web browser, not oh, that could just be crap that runs on your machine. Now, >> can I can I ask a follow? >> That's not on the table, right? Yeah. So shell execute when it gets handed a URL that is a properly formatted HTTPS thing will just launch a browser. It had I didn't even that's kind of crazy. I I guess I never really realized that you could just >> protocol you so shell so so shell execute um >> I don't know shell execute. I've never tried this method. It just seems interesting to me that you can just be like here's https you know what to do and it's just like >> yeah actually this is so so you could think of it as that is the job of open so so when you do shell execute you can basically pass there these things called verbs right >> is x open the same >> sorry >> sorry keep going I'm just trying a xdg xdg open >> yes >> um and the idea is this is you know it it makes sense and when it was created you know shell execute uh the first time I remember it was in win 95. Uh so it's it's been around like a very long time but the yeah uh but the ide >> yeah uh so the idea behind shell execute is very simple it's that protocol handlers like people who know how to do something they can register those with the shell and the shell can go oh you know I you know someone called open and they gave me a PDF file who are the people who are currently registered to handle PDF files Okay, let's open one of those and hand them this thing. So, it literally like this is its job. Its job is to take something like a URL and decode it into saying, "Oh, that I know how to open one of those. Here's a program on the machine that can do that for me." So, shell execute is operating as intended. Now, obviously, this is a huge security hole, which is one of the reasons you generally don't want a program to just be calling shell execute on stuff if the user is unfamiliar with it. Typically, like if you're going to call shell execute, you probably want to do a bunch of like hardening of that path to make sure that you've parsed the string yourself and know that it's not something confusing. Right now, obviously this has been a security exploit topic before because and now we'll get to the really cool stuff. So, prior to 2024, one of the things that shell execute did know how to handle was installer apps. So MSIs, that just runs and installs crap [laughter] to your machine, right? So you could with this exploit, you could do ms-app install colon some remote file and it will download and run it. Now thankfully in 2024, Microsoft just removed that feature. >> 2024 >> 2020 Well, you know, better late [laughter] than never, Ted. >> Yeah. Yeah, that's okay. >> Yeah. So >> Wow. So now what will actually happen if you wanted to do the maximal version of this notepad exploit is thankfully Microsoft's other you know people who removed that will stop that from happening. You'll get a box that pops up that says hey uh I can no longer autoinstall things. Please notify whoever it was that distributed the software that they have to update their installation link. Like yes good very very good job. Um [laughter] that was good. Right. And so that actually stopped this exploit from being potentially a lot worse than it was. Now >> question one quick question. Can you just do like a like a curl, you know, some I don't know what they call uh DOSS scripts. I I'm just going to call bash for, you know, some remote script and then pass it into bash, whatever the equivalent of that. Can can you just shell execute that? Can you just shell execute a curl? Uh, so you as far as I know, and I guess I haven't thought about it too hard, but as far as I know, with with a single click, meaning all you're going to do is click on one of those one of those markdown parsed links, and it's going to pass something to shell execute. The thing that it's going to do has to be resident on your machine. So, it would have to be like file something on your machine and it would run that. >> Okay? But it can't with because they closed that MS-app install. So, so a practical exploit for this exploit would have had to look like, hey, um, here's the GitHub for our document collection. No executables or anything, right? And you download it, but it does secretly have an executable in it, but you're never going to click on that because it's some buried in some subdirectory you'll never see or whatever, right? Yep. then the main page which is like hey table of contents with a link you click on that and it's got a file link to that executable and it runs it and then you're done you're toast right because that's going to run that executable with your permissions right away um so but without that MS app install because that loophole is closed now for shell execute I don't think there was a way to have oneclick both download and run a program I could be wrong about that though but I don't think with a single shell execute it can do that it had to be something already read. So, it could either go get a file from the internet like by opening a web browser with one click or it could run a file already on your computer. But, I don't think it can do both together. I don't think uh people can correct me if I'm wrong about that though because I mean I'm not the person who reverse engineered this exploit. So, I don't know. I'm just going by what uh security researchers uh put up there and making my best guess. Uh but I did test it myself though. I went and ran I made my own little shell execute thing uh to see what happens if I did an MSM app install and I did verify that that is now blocked at least on my whatever my current version of Windows is that was running on this machine I'm talking to you via right now uh it it does in fact block those. So that's cool. Now I don't think unlike the exploit we're going to talk about next, I don't think this one was ever exploited in the wild because Microsoft found it. So they shift it and then some security audit or somebody who was going through the code or some research team that found it send it send it to them might have been what happened. I don't know. Uh because there were reverse engineerings of it online. So it might have been that one of those reverse engineering people actually were the people who reported it right. I don't I didn't look to see who was the if there somebody got a bug bounty for it or whatever. I had Canon is it's that somebody was really mad that Microsoft is shipping updates to Notepad internally and they're like I'm gonna show that you guys should stop updating this cuz I know for sure that you guys that's what I think in my head. I'm thinking some guy inside is LIKE STOP UPDATING THIS. I'VE BEEN TELLING YOU WE JUST NEED AN ERROR. >> YEP. The security like someone on one of their hardcore security teams was like they did what to notepad. All right, I'm going to go look at that. And it was like what did you do? >> Yeah. from engineering's on that team. I know he left a shell exploit [laughter] in here somewhere. >> Yeah. Yeah. Yeah. >> Like the entire security audit is just like Gp shell exec [laughter] xw. It's like bam bam bam bam bam bam bam. They're like oh no. [laughter] Yeah. Uh so that was that was the one that shipped with Windows. And fortunately, again, as far as I'm aware, uh, this was found by either security researchers inside or outside of Microsoft prior to anyone getting severely compromised by it. So, it didn't end up being an issue, I don't think. That's my understanding anyway. Not so for Notepad++, unfortunately. Notepad++, which I use, by the way, and have now uninstalled from my machines because I'm now terrified um of even using a text editor anymore, which is terrifying. It's like I'm having a hard time emotionally thinking of whatever teams in charge of Notepad++, which hasn't changed from Windows 95 all the way up until just like two years ago. whatever team that was that was in charge of it has started putting so many features into it including AI and I don't think they're ready for all the possible exploits. Like I just don't think they're ready for it and they don't know what they're doing out there. >> No. Notepad++ on the other hand, uh this one is very scary. Uh the Notepad one that I just said is more of like a face palm kind of thing. It's like guys don't sh don't like we don't need to add shell execute to like just don't put shell execute in Notepad ever. like it doesn't need that, right? Um but uh yeah, so the problem is with Notepad++, this is a different story. Notepad++ is actually like a very sophisticated attacking individuals. That's why this one's so scary. >> Oh, cool. And by cool, I mean terrifying, but also cool story. >> Yeah. >> Okay. So, and I would preface that Notepad++ is like it's, you know, it's a something developed by just some folks, right? Like it's not a commercial package. It's really not their responsibility to secure it. So, at some level, it's not that, you know, it's not like it's some somebody's fault for doing a bad job because it's like, well, they you you know, you they aren't even getting paid to do this thing, right? Like so it's like they're not necessarily supposed to employ a security team or anything else, right? But it just goes to show you that like well if you're just using some open source software or whatever it is, it's like actually you might just want to be really scared about that because who the heck knows at this point. What happened with Notepad++ is as follows. They unfortunately made the decision, which I just wish people would just stop doing. They unfortunately made the decision quite some time ago to have the thing have a auto autoupdate feature. Now thankfully it's not the kind of feature that's like you know Chrome or whatever where it just silently updates the binary like if you know if you have the automatically keep updated checkbox checked or something it just updates your binary whenever there's a new one or something like that. Thankfully they did not do that. But what they did do is they made a thing called the wind g or wind g up or something like that which they basically made their own little update uh program their own little update sort of uh codebase and they actually share it. So you can use this, you know, this is something that other people could use as well. And it's just an updator that checks a website, gets an XML, a little XML like uh payload that says like what the latest, you know, um download is so that can compare against itself. And if it's newer, it pops up a dialogue box basically that says like, "Hey, there's a new version of, in this case, Notepad++ or whatever the Windg is running on. There's a new version. Would you like to download it now?" Right? And you can click yes if you want it or no if you don't. Thankfully, because I hate software updates, for the past four years, I have always clicked no. Other people who probably were also advised that they should keep their software up to date for security reasons, which is always a mixed like the thing they don't tell you is the easiest way to get security exploits is to not update your software. And the easiest way to get security exploits is to update your software. So, yep. Right. >> Um, so like you're damned if you do, damned if you don't. And this is a great example of that. So, >> probably going like, "Oh, I should make sure I'm up to date on my Notepad++." Clicked yes. So, this particular updater at the time didn't have any kind of cryptographic integrity check. So, for those of you who maybe aren't familiar with this kind of process, when you are going to update a binary, typically what you want to do is you want to make sure that the binary that you're updating to actually is the binary that you think it is. So, for example, if I install Notepad++ on my machine, in a in an ideal world, what would happen is I only have to trust the first time I got Notepad++. Now, obviously, if the first time I get Notepad++, it's a hacked version of it. I'm screwed. So maybe don't download the first version from the pirate bay or whatever, right? But once I have it installed, what I would like is for that program to have what we would traditionally call like a public key that you know, every copy of Notepad++ just has the same key. when it wants to download a new version of itself, when it downloads that executable, it can check to see if that executable is signed in some way so that the binary itself actually matches when you do a signature check matches the public key that we have and only the people who can who produce the binary have the private key. So no one else can do it without actually hacking like the you know extracting the p private key from this you know who wherever the build from it and and that can happen too at which case all bets are off but at least now we know uh someone can't just you know hijack it and the reason that this is important is because if you think about when something goes to autoupdate it's just connecting to the internet to get that update if it's you know gets maninthem like somebody's sitting there and can intercept the traffic it can just go, "Oh, he's trying to download a new Notepad++. I've got a great Notepad++ for him." And gives the you you know the the modified executable that has all the security exploits in it, right? So anyway, this particular uh version of Notepad uh I guess prior to 2025, they just didn't have any kind of verification. So they didn't verify the XML package and they also that you know came to say you know where you should get the new version from and they also didn't verify any executables that they that you would have downloaded as a consequence for that. So, this was just an insecure process. And again, this is a there's a standard CVE for this. If you actually go uh not CV, there's a standard what what do they call it? I don't know if you've ever if you ever read I'm not a security researcher. If you've ever read those CVEes, which are basically like the thing that details what the exploit was from the MITER Corporation keeps this them in a giant list, right? Um there's part of the thing that details the exploit. There's like codes that they have for what kind of exploit it was. So there like this is just a standard kind. It's did not validate an update binary. That's like it's just that's just like a standard thing, right? Because it this has happened before. So anyway, so that's the basic idea of what's about to happen. And the so that part while scary because it's like well that's not great. The scarier part is how they went about exploiting this because a normal kind of exploit is a lot less scary than the kind that they carried out here. So what they chose to do what the what the attackers chose to do with it and they are believed to be state sponsored because of the level of sophistication is they decided look if we start randomly exploiting all of these you know this back door to to notepad you know that's going to get detected quickly. So instead what we'll do is we'll pick highv value targets whose machines we were trying to compromise and we will see if any like of those IP addresses connect to update notepad++ we'll man in the middle it because we figured out how to hack the web like we hacked the like the web provider or someone in between the web provider I don't remember the specifics are actually uh not as well documented as I would have the specifics of the hack are very well documented the specifics of exactly what the man in the middle part looked like we're not we man in the middle that we're just going to wait we're going to pass everything through so it looks like notepad++ is updating normally for everyone else but when we see a high value IP comes in then we'll slip them the mickey right then that and only that cup of coke gets the roofy right so what they then do is they serve just the highv value targets an updated Notepad++ ++ that has and I loved I loved this. It was I don't know if if hackers do these things to be funny because you know I I I've never really known like a real black hat hacker I guess but I know some people who are kind of like maybe adjacent to that and they do like inside jokes uh in that way so I don't know. So what it does is it includes a legitimate copy of Bit Defender of some executable from Bit Defender a legitimate one that they have replaced some of the DLS that it loads. So they use an executable that is signed but that loads an external DL so that they won't get security checked on that and they replace just the DLL it loads with the DLL that does the security exploit that they need right so I'm like okay so they give you this package and effectively what happens is Notepad++ will update itself with the bad version that you sent it doesn't check it just starts running that you think you're running Notepad++ but Actually, you're running this uh copy of Bit Defender, which they've actually renamed to Bluetooth service. So, you're running a thing called Bluetooth service, which yes, you're running this extra thing called Bluetooth service that's actually a copy of Bit Defender that's that's intact. They haven't changed that at all, but they replace some of the DLS that it would have loaded with ones that have their exploit payload. And off we go. So, this thing was like pretty hard to find apparently. I'm not sure how the security researchers actually ended up doing it. You could see uh you can go read rapid 7 has like their full breakdown of like how they went about finding it and it's like they had to find it on just there was a small number of machines that were having this happen and they had to dig into it I guess because again like very few people had it so it's kind of like hair pulling of like wait what's going on and eventually they were able to track it back to the fact that it was notepad even though most people's notepad installs were not compromised right so at the end of the day. This is kind of terrifying because it's like, holy cow. Like, I mean, I'm not a highv value target, so I guess I don't really have to worry too much about that kind of thing. But it's crazy just how intentional these things are. I didn't quite realize like how specific they might be. And my guess is we have not found most of these, right? Like like this is not the only time they've done something like this, I'm sure. And what are the chances that we've actually detected most of them? >> That's interesting that they're able to man in the middle so thoroughly like that. That's what I'm like most curious about is how how could you like what kind of access do you need to have or what have you hacked to be able to do that? just the web provider that happened to be running um the the little windy update other end or whatever it is or not or the not the other end the um where the file the the web provider basically >> whatever they were hosting the notepad >> they just had to hack the host that's it yeah >> that's crazy and then they would just they would selectively pick which one is wild >> yeah well that's the thing is like yeah like I feel like that's what makes it so insidious is because normally Like if somebody hacks a web host provider or hacks some website, a bunch of people will get screwed but will know like that day, right? Because all hell breaks loose and like and security research are seeing weird files like they're monitoring all this stuff, right? >> Yeah. >> Whereas this they don't see anything >> because they're not a high value target. >> Well, they're presumably they know they try to figure out where all of those collection spaces are and intentionally would never serve it to one of those. Right. The hard part is finding someone highprofile using nlad. >> Dang it. YOU TOOK MY JOKE TRASH. THAT'S WHAT I [laughter] WAS GOING TO ASK IS THERE SUCH THING AS A HIGH VALUE TARGET USING >> NO. >> SORRY BUDDY. I said it already. Sorry prime. I said it already. Sorry. >> I said [laughter] can I ask the question? >> THAT'S WHY I SLIPPED IT IN THERE. I WAS LIKE, I GOT TO get this in before somebody else says it. >> Trash. That's genius. Thanks a lot. Thanks a lot. No, I really appreciate that. Makes me feel great about myself. I use it because I have to I make the materials. I I want people to be able to use a a text editor that they're familiar with that they can just get for free on Windows. Okay. You know, I'm not proud of it. >> They're handing out Notepad++ for free for sure now. They're like, "Guys, [laughter] Casey Casey, how does it make you feel?" >> Not great. >> That when they attacked highv value targets, you weren't included. Like, what's like what what went through your mind that day? >> Up and up, guys. >> We don't know that they didn't try. Casey's been clicking no. That's say I was just going to say I'm sure I was tops on the list prime tops on that list and I just didn't hit update. They they were probably furious >> that they couldn't get access to my machine with this hack. Probably the whole reason they did it and the other targets were just like to you know they're like well we could since we didn't get Casey we'll get a couple we'll get you know NORAD or whatever. You know >> there's like a cinematic scene that has Casey's face on a dart board. A guy just smoking cigars just throwing darts at Casey's face. [laughter] >> Yeah. I mean, that's a chance why they kept the exploit open. They were just waiting for Casey to hit the update. They were going, going, going. I don't know, man. We got to we got to get something back to the boss, even though we're really here to [snorts] get Casey. They're like, "All we got was Bill." And it was like, "No big deal." >> Bill from it. >> Yeah. >> The first guy doesn't play Mind Sweeper ever, and now he doesn't update his notepad. How are WE GOING TO HACK this [laughter] guy? >> We've tried leaving USBs on the sidewalk. He doesn't put those in his computer. We're screwed. >> He's not even clicking markdown links in Notepad. He's some kind of freak. >> What the hell? Everyone clicks markdown links. That's why they're there. >> Especially in Notepad, >> specifically in the [laughter] world's most markdown friendly editor that everyone knows about, Notepad. >> Yeah. Well, now that it has C-Pilot, I do kind of think it is the best place to work with Markdown documents. Prime. >> I do like the idea of someone at Microsoft coming out and going, "Well, the we have some good news and bad news." The bad news is that the markdown parsing in notepad was attacked with a pretty significant security exploit. The good news is since nobody knew that notepad parsed markdown to begin with, no one was opening markdown files and [laughter] so we avoided any actual security. >> We like to call that at here at the big kind of shops like we operate at Microsoft. We like to call that Swiss cheese security. And so we're really confident we've got so many layers of abstraction nobody's going to be able to exploit our software. Good news. Copilot has had no security exploits because nobody uses it. And we will continue [laughter] this nobody uses C-pilot so it can't get exploited strategy. Hey guys, if you like this episode, you can watch the rest of it on the Spotify. And don't forget to like and subscribe. Woo! See you later. >> Boot up five [music] errors [singing] on my screen. Terminal [music] coffee and living the dream.

Chapters 00:00:00 - Intro 00:03:42 - ssh terminal.shop 00:04:16 - Notepad Exploit 00:14:47 - Notepad++ Exploit 00:30:16 - Outro https://twitch.tv/ThePrimeagen - I Stream on Twitch https://twitter.com/terminaldotshop - Want to order coffee over SSH? ssh terminal.shop Become Backend Dev: https://boot.dev/prime (plus i make courses for them) This is also the best way to support me is to support yourself becoming a better backend engineer. Great News? Want me to research and create video????: https://www.reddit.com/r/ThePrimeagen Kinesis Advantage 360: https://bit.ly/Prime-Kinesis The crew talks about one of the biggest debates in programming right now: do lines of code actually matter? They dive into AI coding tools, developer productivity, and why measuring engineers by code output might be completely broken. Along the way they roast the viral “burned out my USB-C ports using Claude Code” tweet, share stories about gamifying developer metrics, and break down some surprisingly wild security vulnerabilities in both Windows Notepad and Notepad++. A mix of tech insight, developer culture, and plenty of chaos.