|
|
Пишет Slashdot (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_slashdot)@ 2026-02-13 03:45:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
Windows 11 Notepad Flaw Let Files Execute Silently via Markdown Links
Microsoft has patched a high-severity vulnerability in Windows 11's Notepad that allowed attackers to silently execute local or remote programs when a user clicked a specially crafted Markdown link, all without triggering any Windows security warning. The flaw, tracked as CVE-2026-20841 and fixed in the February 2026 Patch Tuesday update, stemmed from Notepad's relatively new Markdown support -- a feature Microsoft added after discontinuing WordPad and rewriting Notepad to serve as both a plain text and rich text editor. An attacker only needed to create a Markdown file containing file:// links pointing to executables or special URIs like ms-appinstaller://, and a Ctrl+click in Markdown mode would launch them. Microsoft's fix now displays a warning dialog for any link that doesn't use http:// or https://, though the company did not explain why it chose a prompt over blocking non-standard links entirely. Notepad updates automatically through the Microsoft Store.
Microsoft has patched a high-severity vulnerability in Windows 11's Notepad that allowed attackers to silently execute local or remote programs when a user clicked a specially crafted Markdown link, all without triggering any Windows security warning. The flaw, tracked as CVE-2026-20841 and fixed in the February 2026 Patch Tuesday update, stemmed from Notepad's relatively new Markdown support -- a feature Microsoft added after discontinuing WordPad and rewriting Notepad to serve as both a plain text and rich text editor. An attacker only needed to create a Markdown file containing file:// links pointing to executables or special URIs like ms-appinstaller://, and a Ctrl+click in Markdown mode would launch them. Microsoft's fix now displays a warning dialog for any link that doesn't use http:// or https://, though the company did not explain why it chose a prompt over blocking non-standard links entirely. Notepad updates automatically through the Microsoft Store.
Read more of this story at Slashdot.
