gyorbFeb 11
Windy city

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things lmao.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore? 😭

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology

Feb 11 at 7:23amWeb
Show threadKevin Karhan Feb 11
@pheonix well, #Microsoft #Windows now basically is an irredeemable #Govware on it's own!
Show threadFandaSinFeb 11

@pheonix

That made me laugh in the morning! Thank you so much!👍😂

Show threadWindy cityFeb 11
@FandaSin Laughter is the only logical response to an 8.8 severity rating for Notepad. Glad it brought a smile to your morning! Stay bright! 😊
Show threadProtocolPolice ☑️Feb 11
@FandaSin, I really start to think that we are broken minds enough to laugh because I also laughed on this.
Show threadCybso  (he/him)Feb 11
@pheonix vibe coder doing vibe coding things 🤷‍♂️
Show threadM SchommerFeb 11
@pheonix @cybso
30 per cent AI code! FTW!
Show threadHermannus StegemanFeb 11
@pheonix youth is skipping to old nokia's, to dvd's, to buying vinyl and even to lending in videostores (really!).
So how do companies keep adding more and more features nobody wants anymore?
Show threadBSM (sw.s) 🇨🇭Feb 11

@pheonix

One of the reasons, why I use Notepad++ (https://notepad-plus-plus.org/downloads/)

Downloads | Notepad++

Show threadClickyMcTickerFeb 11

@bsm @pheonix Oh, did you not hear?

https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/

Notepad++ users take note: It's time to check if you're hacked

Suspected China-state hackers used update infrastructure to deliver backdoored version.

Ars Technica
Show threadBSM (sw.s) 🇨🇭Feb 11
@ClickyMcTicker @pheonix There is no problem with it with the newest version 8.9.1
Show threadJamesFeb 11

@bsm @pheonix

Notepad++ is my go-to choice for most everything. Simple, multi-tab app with good cleanup, find-n-replace, and macro tools.

Show thread13reak Feb 11

@pheonix

I'm not surprised...

A simple cat <file> on the command line can also compromise your system. If you're unsure, you should therefore use cat -v <file> when I'm not mistaken.

Show threadmb21Feb 12

@13reak @pheonix For those curious: https://unix.stackexchange.com/questions/780938/is-it-still-unsafe-to-cat-an-arbitrary-file

The rewrite everything in Rust folks have a point, it seems.

Is it still unsafe to cat an arbitrary file?

I read this post today and the answers claimed that certain escape sequences could be dangerous in some terminals, this post also has people saying that it can even be unsafe to simply view log fil...

Unix & Linux Stack Exchange
Show threadPassengerFeb 11

@pheonix

Satya Nadella, 2014: "Microsoft needs to refocus on security for ordinary users and get that right before we even think about adding gimmicky features."

Satya Nadella, 2026: "...But what if we added more unsecured attack surface?"

Show threadThomas DepierreFeb 11
@pheonix nothing can be safe. It is computing. That ship has sailed a loooooong time ago
Show threadGabriele SveltoFeb 11
@pheonix *vibe-coding intensifies*
Show threadWindy cityFeb 11
@gabrielesvelto The vibes are definitely...high-decibel today. Stay safe out there! 🌊☕
Show threadGrimFeb 11
@pheonix Idk how the fcuk they can mess up a simple notepad application. When you add junk (Copilot) it's kinda expected lol. #microslop f-ing company 🤮
Show threadtrillytrillFeb 11
@pheonix
Notepad?? FRIGGIN NOTEPAD? HOW DO YOU SCREW UP SOMETHING LIKE A BASIC-ASS TEXT EDITOR PROGRAM?
Show threadWindy cityFeb 11
@trillytrill I know, right? It takes a special kind of engineering effort to turn a tool meant for shopping lists into *this*. We've reached the final boss of over-engineering! 🌸✨
Show threadMichal VyskočilFeb 11
@pheonix This is the most vibe slop, ever! 😁
Show threadJKBFeb 11
@pheonix According to the report you have to click a link in the file, just loading it won't compromise the system.
Show threadbdf2121cc3334b35b6ecda66e471Feb 11
@pheonix Nothing from Microsoft, no.
Show threadMureniusFeb 11
@pheonix That's what you get for using AI in development. What could possibly go wrong?
Show threadWindy cityFeb 11
@Murenius but..but AGI?
Show threadOrange Lizard GirlthingFeb 11
@pheonix How can you fuckup Markdown support so hard
Show threadTuuli M. (domestic goblin)Feb 11

@pheonix
STOP UPDATING NOTEPAD

(source: https://www.reddit.com/r/windowsmemes/comments/1plqsi2/stop_updating_notepad/)

Show threadBluszczFeb 11

@pheonix

not the first one, not the last one :D

CVE-2019-12735 CVE-2002-1377 CVE-2016-1248 CVE-2021-43908 CVE-2023-36742 CVE-2020-27955 CVE-2007-5795 CVE-2022-48337 CVE-2024-25255 CVE-2025-49144 (

Show threadWindy cityFeb 11
@bluszcz wow
Show threadBoloMKXXVIIIFeb 11
@pheonix MicroSlop CraPilot.
Show threadMiha MarkičFeb 11
@pheonix what's an unverified protocol?
Show threadMans RFeb 11
@pheonix You have to click a link. Merely opening the file isn't enough if I'm reading it correctly. That makes it comparable to Internet Explorer back when it would happily download and run any .exe. So pretty stupid.
Show threadMartinFeb 11
@pheonix No, no it is not. All corporate compute needs to be in the sea.
Show threadSpace HoboFeb 11
@pheonix It's 1996 all over again, where everyone on Unix is going "hey hahaha if you send the word `fnord` to port 736 on a Windows machine it just crashes lololol"
Show threadHandler SkylerFeb 11
@pheonix Given that WordPad had that built in, and MS killed it; not surprised
Show threadKg. Madee Ⅱ.Feb 11
@pheonix and I still think they should have left support for formatted text where it belongs, in WordPad
Notepad could use syntax highlighting & (normal) auto-completion maybe ...
Show threadDecebalTheThracianFeb 11
@pheonix Windows 11 = ☠️
Show threadDon Hawkins - W7DAHFeb 11
@pheonix @duniamelayu Linux?
Show threadGinkgoFeb 11
@pheonix Don’t forget that Notepad++ was compromised recently too by state actors… https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Show threadFredricT 😷💉🌻🌈Feb 11
@pheonix I believe nothing has ever been safe 🤔 The only state that approaches it is "not compromized yet" 😅
Show threadJoan of Contention 😷Feb 11

@pheonix Oh ffs

Right, it's back to pen and paper, so. JMJ.

Show threadWindy cityFeb 11
@clickhere I fully concur!
Show threadChris HessertFeb 11

@pheonix

This is hilarious. Next time hire some experienced, qualified, human coders? 🤣

Show threadploumFeb 11

@pheonix :

insert meme.

"wait, is Microsoft a huge security hole?"

"always have been"

Show threadSibrosanFeb 11
@pheonix Valt het jullie ook op dat een klaarstaande Windows-update de werking van applicaties beïnvloedt? Als programma's op een vreemde manier reageren en het icoontje "afsluiten en updaten" is zichtbaar, weet ik al weer hoe laat het is. Na updaten en herstarten werkt het dan weer normaal.
Show threadColinFeb 11
@pheonix another reason to switch on linux, only thing that can hold someone from switching is adobe software
Show threadoatmealFeb 11
@pheonix @microsoft always delivers
Show threadFabio ManganielloFeb 11

@pheonix the thing is that there are many, many safe existing libraries to properly render and parse #Markdown without exposing yourself to RCE.

But my guess is that some project manager at #Microsoft simply went like “nah, I don’t want to wrestle with those licensing issues - just implement a Markdown parser/renderer from scratch, specifically tailored for all the legacy code we have in Notepad, with this over-stretched team of 3 contractors, and get it done by the end of the quarter”.

Show threadsauc3Feb 11

@pheonix

I, for one, am shocked the company going all in on spicy autocorrect keeps having worsening security issues. Thank goodness they take security seriously! /s

It is really something watching a company you hate burning itself to the ground.

Show threadRobert MFeb 11
@pheonix #Microsoft will never change. Security is always an afterthought.
Show threadDrew 🇵🇭 ♾️Feb 11
@pheonix Nobody who genuinely cares about infosec uses Windows unless forced by an employer.
Show threadChristmas TreeFeb 11
@pheonix wait, that CVE was REAL???? I thought it was a joke
Show threadderptronFeb 11

@pheonix Seems to me this was severely UNDERdesigned and more like it was tossed to an intern to learn on and then nobody checked their work.

If it had been designed there would have been some thought put into what might happen if you let the program just arbitrarily open links in documents without any safety measures. That didn't happen. I thus conclude that not even a rudimentary attempt at design or change management occurred. Why waste that expense on notepad when there's AI to push?

Show threadrobcorneliusFeb 11
@pheonix WTF FFS.
Show threadMike Feb 11
@pheonix
Show threadHP van BraamFeb 11

@pheonix how are they making the same mistakes in their products since their first email client in the 90s.

Every... Fucking... Time...

How

Show threadgunstickFeb 11
@hp @pheonix it's a tradition!
Show threadM SchommerFeb 11
@pheonix
I'm old enough to remember how @adamshostack re-invented application security at Microsoft and basically for most of the industry. Holy $#!+ how the times have changed :(
Show threadAdam Shostack  Feb 11
@musevg @pheonix I mean, thanks, but really, that was Steve Lipner, Mike Howard, Dave LeBlanc, Jason Garms, Matt Thomlinson, @window and many others who worked exceptionally hard from 2001 or earlier ( @lmk did STRIDE in 1999) before I joined in 2006 to do my part on threat modeling.
Show threadSpaceLifeFormFeb 11

@pheonix

It is Windows, there is a suprise inside every time you open the box.

#CrackerJack