Windows 11 Notepad Flaw Let Files Execute Silently via Markdown Links (bleepingcomputer.com) 66
Microsoft has patched a high-severity vulnerability in Windows 11's Notepad that allowed attackers to silently execute local or remote programs when a user clicked a specially crafted Markdown link, all without triggering any Windows security warning.
The flaw, tracked as CVE-2026-20841 and fixed in the February 2026 Patch Tuesday update, stemmed from Notepad's relatively new Markdown support -- a feature Microsoft added after discontinuing WordPad and rewriting Notepad to serve as both a plain text and rich text editor. An attacker only needed to create a Markdown file containing file:// links pointing to executables or special URIs like ms-appinstaller://, and a Ctrl+click in Markdown mode would launch them. Microsoft's fix now displays a warning dialog for any link that doesn't use http:// or https://, though the company did not explain why it chose a prompt over blocking non-standard links entirely. Notepad updates automatically through the Microsoft Store.
The flaw, tracked as CVE-2026-20841 and fixed in the February 2026 Patch Tuesday update, stemmed from Notepad's relatively new Markdown support -- a feature Microsoft added after discontinuing WordPad and rewriting Notepad to serve as both a plain text and rich text editor. An attacker only needed to create a Markdown file containing file:// links pointing to executables or special URIs like ms-appinstaller://, and a Ctrl+click in Markdown mode would launch them. Microsoft's fix now displays a warning dialog for any link that doesn't use http:// or https://, though the company did not explain why it chose a prompt over blocking non-standard links entirely. Notepad updates automatically through the Microsoft Store.
Down/up (Score:3)
Re: (Score:2)
Oh Microsoft... (Score:5, Insightful)
You took something simple like Notepad, added features we didn't want, and not only made it worse but actually made it insecure and fundamentally broken.
This could have been prevented by not removing Wordpad.
you're missing something (Score:3, Insightful)
Wrong (Score:5, Insightful)
The goal of Microsoft is to keep turning record profits after they saturated the market 30 years ago. Want to make sure your endpoints are up to date on patches? They now have a subscription for that. Want to avoid installing crap like this in the first place? They have a subscription for that too.
Re:Wrong (Score:4, Insightful)
What Microsoft overlooks is that there is a red line where they will just die if they cross it. They are dangerously close to that line and may be over it. I mean, how utterly incompetent can you get? A mistake like the one here can only happen if security aspects were completely ignored during development.
Any good monopolist knows that they have to deliver at least somewhat reasonable quality to retain the monopoly. MS does not understand that. Hence their products are now incompetently made toys.
Re:Wrong (Score:4, Insightful)
That's generally true but MS is only obliquely in the OS game it seems to me. They are concentrating on "cloud" and "AI", and companies are sending them money for these things. So they can completely screw the pooch on their toy OS and run all their crap on Unix and Linux and I doubt that would phase them. They probably already have versions of their biggest money spinner software running on those platforms.
Re: (Score:2)
And yet their cloud offerings have been hacked several times now and had additional really bad vulnerability where nobody know whether they got exploited ...
I think I do not need to even comment on the future of their AI plans ...
Re: (Score:2)
Seems like they're turning their desktop OS into a heavy client for 'teh cloud computing'.
Keep seeding their regular OS with security issues and then their reps can point to their 'managed OS client' and meet quarterly goals on subscritption numbers.
Re: (Score:2)
Hmm. Obviously, they cannot hack this. But you may be on to something and they may be planning this.
Re:Wrong (Score:5, Interesting)
What Microsoft overlooks is that there is a red line where they will just die if they cross it. They are dangerously close to that line and may be over it. I mean, how utterly incompetent can you get? A mistake like the one here can only happen if security aspects were completely ignored during development.
Any good monopolist knows that they have to deliver at least somewhat reasonable quality to retain the monopoly. MS does not understand that. Hence their products are now incompetently made toys.
This. They crossed that line for me a good while ago. Like Windows 8 ago. And taking a simple but still useful product like Notepad, and bitching it up to the point that it is now a malware vector has me shaking my head, not in disbelief, but "here we go again". At this point, I only use my Windows Laptop if there's no other choice. I swapped out the space it was in for a Raspberry Pi 5 I've been playing with, and my not updatable to Windows 11 laptop that screams along on Linux Mint.
Now for myself, a geek - it's not all that surprising to abandon Microsoft as much as possible. But I'm getting feedback And am giving instructions from and to quite a few others who aren't such geeks. Technical adjacent. People who need a stable platform, who need a bit more than email, and web browser. And are tired of Windows update hell. And some times Microsoft even bitches up their own programs.
There are still a fair number off people out there who believe Microsoft is some kind of permanent entity. That it will be the goto solution until the universe experiences proton decay. Reminds me of Ozymandias "My name is Microsoft, King of Kings: Look on my works, ye Mighty, and despair!"
Re: (Score:2)
I think we are at a decision point now. It can still go either way. I hope we will get the momentum that we can finally all ditch Microsoft over the next few years.
Re: (Score:2)
I would have said it was impossible, but the destruction of the US government is making it possible. If you couple people's latent but generally willfully ignored mistrust of Microsoft on a quality basis with their newly stoked distrust of the USA on a fascism basis, that might actually be enough to get them switching.
Here in the US there is enough nationalist denialism to keep it from happening on a large scale soon, but in the rest of the world, it might now be a thing. And then that will have repercussio
Re: (Score:2)
We really only need to break the monopoly. As as soon as MS has to actually compete, they are totally fucked. If the US then keeps sticking to MS, that will just be one factor in its upcoming economic catastrophe.
Re: (Score:2)
Can it run (formerly) Sony Vegas? Can LibreOffice open a .docx file 100% correctly with no changes to formatting?
Or, would you still have to run something Windows-only in a VM with Windows installed to the VM? If so, what's the advantage of *Nix?
The alternative is keep running Win10, and just don't click every scam banner ad and download stuff from sketchy sites, and keep the machine behind a firewall, and you'll be fine (like me :-) )
Re: (Score:2)
So... if Trump is a pedo because he had something to do with Epstein at some point in the past (guilt by association... unless you have hard proof, like I always call for)... then, you have to ask yourself... what about your friends from school? Was one of them a pedo at some point in their life? What about the person waiting in line with you at the grocery store that you talked to? If it turns out one of them is a pedo, then you'd be as guilty (guilt by association) as Trump.
What about other names in 't
Re: (Score:2)
What about other names in 'the list'? We don't see you making such a big deal about them, do we?
Whataboutism, your direct use of it.
You do understand that the people doing the whataboutism in this matter are politically differentiating that they are drawing a politically based line on the kiddie diddlers. Just shows tho they believe should be allowed to engage in that sort of thing, and who they believe must be punished.
Meanwhile most of us are of the belief that if someone is guilty of such a thing, political party is irrelevant. You appear to have an opinion that differs, amirite?
What about th
Re: (Score:2)
At the same time, the only one you and ACs and drinkypoo and rsilvergun are all up in arms over is Trump.
I seem to remember there's more than just Trump (https://en.wikipedia.org/wiki/List_of_people_named_in_the_Epstein_files#T scroll down a little) in the documents (so far)... Woody Allen, Zuckerberg, your buddy Musk, Kennedy Jr., Dean Kamen, of course the Weinsteins, Jay-Z, Deepak Chopra, good ol' Castro... and, that's just from Wiki... I don't have (and I don't think anyone has) the time to sift through
Re: (Score:2)
At the same time, the only one you and ACs and drinkypoo and rsilvergun are all up in arms over is Trump.
And Drinkypoo says everyone hates me Classifying me with them is such intelligent deduction on your part.
I differ from you kind sir, that grown me who fuck children are all pedophiles, and you seem to excuse some. You aren't Jerry Sandusky are you?
Here's your problem. The Epstein and his island was a place where people went to fuck kids was as they say - "A secret all over town".
I knew about it, and I wasn't even a "prominent businessman." No way I would even be in the vicinity of the guy. This wa
Re: (Score:2)
Can it run (formerly) Sony Vegas?
Oh yes, Cherry Pick something, then throw everything under teh buss that don't run it.
Well Stockholm, (Ima call you Stockholm now, after the syndrome you display) I have programs that only run in MacOS, so according your syndrome, Windows is no good because it doesn't run that program. Not the flex you think it is.
Can LibreOffice open a .docx file 100% correctly with no changes to formatting?
I've had no difficulties reading and creating docx and every other file. And what a failed flex you make. Two things, Stockholm:
1. A lot of us have to use Libre because it reads files that
Re: (Score:2)
I'll just stick with Win10, and not do anything that'll install malware or viruses or anything on it (as in, download programs direct from whoever made the thing), and run the occasional HiJackThis and Spybot scan to make sure everything is as it should be.
Opened one of my .docx files in Libre... the formatting (in Office) was: page one, portrait, pages 2-3, landscape, rest in portrait... Libre decided to make it all landscape.... tried with a couple others with similar formatting, and the same thing happen
Re: (Score:2)
They even dropped their "open" (not really) format with the iso and simply don't use it in their office programs
uh, no? (Score:1)
There is nobody south of Satya or Amy whose P&L comprises the entire company. And I promise you that Satya or Amy did not make the decision to change Notepad. I may be a sarcastic asshole but believe it or not, I (and many others here) know what we are talking about and don't waste time just posting dumb drivel.
What I said is literally true - promotions at Microsoft are based on impact, hence people at Microsoft sit around brainstorming ways to show impact, hence people working on mature products do stu
Re: (Score:3)
That's one of the problems they have when they attain an optimal product. They have to start changing things just for the sake of change, and in the process, ruin the experience for customers. Instead, they should have reassigned those people to other projects, and just had security updates for Windows
Intel ruined itself by competing w/ its customers, and Microsoft is on that road by ruining the user experience. I don't see this end well
Re: (Score:3)
This could have been prevented by not removing Wordpad.
Yes. But that would require somebody sane with some actual insight and understanding of IT security at Microsoft making decisions. They do not have such people.
Re: Oh Microsoft... (Score:4, Insightful)
I don't know why these companies don't realize when you take an application that can't execute anything and you make it into an application that will execute anything depending on embedded codes, it's worth scrutinizing it. If you don't have the manpower or skills available to scrutinize it then you don't change it. Isn't that obvious?
Re: (Score:3)
I don't know why these companies don't realize when you take an application that can't execute anything and you make it into an application that will execute anything depending on embedded codes, it's worth scrutinizing it. If you don't have the manpower or skills available to scrutinize it then you don't change it. Isn't that obvious?
Not obvious for them, it appears. NotePad wasn't a great product, but it was a useable one.
If they wanted a product that could wreck people's computers, they could have made a new product, not wreck the useable one.
Re: Oh Microsoft... (Score:4, Insightful)
If they wanted a product that could wreck people's computers, they could have made a new product, not wreck the useable one.
They did. It is called Windows 11.
Re: (Score:3)
If they wanted a product that could wreck people's computers, they could have made a new product, not wreck the useable one.
They did. It is called Windows 11.
Windows 10 had a bit of a rough start, but got better over time. Even Windows 8 improved with 8.1 - still sucked, but sorta useable. Windows 11 is getting worse as time goes on.
Re: (Score:3)
I thought that Windows 10 was great given that it restored at least somewhat the UI we were used to in 7. I remember switching from 8.1 to 10 the moment 10 was released: it was a joy to get back to that UI
I have been seeing recent videos benchmarking everything from XP to 11. 8 actually topped in performance, if one ran those tests: it was too bad that it was laden w/ that Metro interface. Had Microsoft left the Windows 7 interface on it - maybe just changing the windows button - while providing it w/
Re: (Score:2)
Re: (Score:3)
This could have been prevented by not removing Wordpad.
Prevented in what way? Your post is non-sequitur.
Firstly, the simple version of Notepad has had quite a few critical security flaws over the years. https://threatpost.com/researc... [threatpost.com]
Secondly, so did Wordpad, which had several security exploits associated with it even before Microsoft stopped maintaining the application. Wordpad was dropped because it was a potential security attack surface.
Thirdly, Wordpad didn't support markdown meaning that this exploit right now has zero to do with Wordpad's existence.
Yea
Re: (Score:2)
god you are so fucking tired and boring.
And yet you sit here reading my posts. Says more about you than me really.
Re: (Score:2)
That version of notepad has been running smoothly since 1995. All it is is open a file, enter text into it and save the file. What security vulnerabilities does that have? It's up to the OS to prevent any malicious scripts from running
Re: (Score:2)
It's almost like you could have clicked the link I posted to answer your question.
Please if you want to join a discussion, have a read of the context first. No one likes a new guy coming in and having to stop to catch them up.
Re:Oh Microsoft... (Score:4, Insightful)
You took something simple like Notepad, added features we didn't want, and not only made it worse but actually made it insecure and fundamentally broken.
This could have been prevented by not removing Wordpad.
This!!! +5
The ideal thing for Microsoft to have done would have been to leave Notepad alone, and add those features to Wordpad instead! The latter already handled rich text, but they could have added tables, as well as support for tabs. That would have been far more useful
On a separate note, in Paint, Microsoft could have added tabs there, and made it more useful that way. One of the things I used to do w/ Paint was use it to combine images to make a custom wallpaper. W/ the latest version of Paint, I can no longer do it: last time, I had to go to Canva. But had Microsoft built tabs into Paint, one could have had the constituent images in different tabs, and copied all of them into a new tab, and then saved it under whatever image format one chose. That would have been ideal
Sherlock Holmes once noted about one of the people he got arrested, "But he had not that supreme gift of the artist, the knowledge of when to stop. He wished to improve that which was already perfect....and so he ruined all". That's the case w/ Microsoft: they had things perfect in Windows 7, although they could have swapped in the Windows 8 kernel w/o changing anything. But they had to muck around w/ everything good - Notepad, Wordpad and Paint - and today, Windows is a turd-show. On YouTube, there have been tests done that show that 11 is the slowest of all versions, and I think that it gives 8 tough competition, despite being similar to 10 in terms of UI
Re: (Score:2)
I really wanted some upgrades to Notepad. Specifically, I wanted multi-level undo and proper multi-click selection.
I wanted literally nothing else but I got it anyway.
Since Notepad actually just forgets all the edits you've made to a file on a network share if connectivity is lost I can no longer use Notepad for my prior use case. At all. Now I have to use Word. Word doesn't forget in that scenario, it "only" refuses to allow you to save to the same filename. As an aside, Excel doesn't forget either, and it
As expected (Score:2)
Microsoft has no security mind-set, while having a lot of security-critical products. Obviously, they mess it up time and again. Although the level of sheer incompetence on display here is astonishing even for them. Also remember "Security is our highest priority" (stated last probably in 2024 by MS CEO). If they make mistakes this grossly clueless and dangerous now, it just means they cannot do it right. No other interpretation is possible.
Think it is a little different (Score:3)
I just think the cause is a bit different.
They have this habit of making everything as general as possible without thinking through the implications, while trying to "extend" anything they didn't make. So you end up with a generic URL parsing library that will happily launch installers from a text file in Notepad and similar nonsensical capabilities nobody in their right mind would intentionally use. Software for Martians, borne out of nai
Re: (Score:2)
I agree with your statement. But I do not think that is a different reason. They have no security mind-set and no actual security experts involved in the decision making. That is what I would call "cannot do security". In the case at hand, any halfway competent IT security expert would have told them that this was excessively risky. Remember the log4shell vulnerability? This is basically the same stupid thing.
Incidentally, this bright-eyed "can do" attitude is the hallmark of bloody amateurs.
Good Low Level video on it (Score:5, Insightful)
Youtuber Low Level did a pretty good video on this vulnerability. Yes it is a bad vulnerability and yes it is serious, but it's not like a user isn't warned several times when clicking on such a link.
He also pointed out that the drive to put AI into everything now makes restricting process permissions a lot harder. For example in the past there was no reason to ever let notepad.exe access the internet. Now with copilot integrated, it's regularly accessing the internet. I don't think the boys at MS were thinking this through clearly.
https://youtu.be/sZ8aAkeZ6dw [youtu.be]
Re: (Score:3)
but it's not like a user isn't warned several times when clicking on such a link.
But why does every app have to be a browser? Is this functionality going to be added to solitaire? Why not?
To me it seems that if Microsoft was in the tool business every thing would need to be, or function like, a hammer.
Re: (Score:3)
For example in the past there was no reason to ever let notepad.exe access the internet.
Really, the more appropriate question is, "How do I, with a couple clicks, prevent an application from accessing the network?" Also, "How do I, with a couple clicks, quarantine an application exclusively to its working folder?"
Sure, you can do this stuff, but it's complicated and unreliable. Plus, if you're trying to restrict a program that's built-in to Windows, most of the time the firewall will ignore your settings anyway. It's kind of sad that modern OSes, including Linux, pretty much allow any appli
microslop... (Score:2)
drats! (Score:1)
Should I upgrade my win10 to win11? Am I late to the party?
Re: (Score:2)
Re: (Score:3)
The best thing to do would be to install a hypervisor on your computer, and then, on top of that, run whichever OS you fluently work in. As an example, let's say you install Hyper-V. On top of that, you have a Windows 10 VM in which you do all your work, but don't connect it to the internet. Use a Linux or BSD distro that Hyper-V supports for any internet related activities, such as web browsing
So you could have Hyper-V, and on top of that, have 2 VMs - Windows 10 and Debian. Use the latter for web br
40 years (Score:2, Insightful)
Notepad has been released for DOS in 1983 and for windos in 1985.
It seems 40 years just is not enough time to create a half decent text editor!
Re: (Score:2)
It was great all this time. One opened a file, entered text, saved the file and one was done. What else was needed? Yeah, it didn't have certain features that programmers might like, but I suspect programmers generally pick their own editors for their work
Re: (Score:2)
Re: (Score:2)
That's ironic (Score:3)
Microsoft claimed they were discontinuing Wordpad to reduce security flaw exposure from barely used unpatched and unmaintained software.
But at least they are consistent. Microsoft has a history of security issues on really basic software such as Notepad https://threatpost.com/researc... [threatpost.com]
EXCEPT http and https (Score:2)
Let the stream of malware happily continue...
Disgraceful (Score:1)
Unauthorized Bread Story Re:Disgraceful (Score:2)
"Unauthorized Bread: Real rebellions involve jailbreaking IoT toasters"
2020 ARS Story: Cory Doctorow’s book, Radicalized, is up for a CBC award. To celebrate, here’s an excerpt.
https://arstechnica.com/gaming... [arstechnica.com]
Shouldn't Have Messed With The Old Utilities (Score:2)
Stuffing new things into them to make them something else (such as a Wordpad replacement) makes them lose their charm and introduces new headaches.
You would think at this point, Microsoft could just offer MS Word for free with every Windows activation.
Can we just get the old notepad back please? (Score:2)
I just need a good text editor with 4 functions:
Open (text-only files), save, search and replace.
No markdown support, no AI copilot, no formatting, no lists, no URL support, no tables, no autocorrect.
Ya know, kinda just like the old notepad, except with the ability to show line numbers (the only thing I thought notepad needed). I saw the new one still can't either, despite all its other kitchen-sink bloat.
Re:Can we just get the old notepad back please? (Score:5, Informative)
You can still do that, you just need to jump through some hoops
- Disable app execution aliases for notepad.exe
- Uninstall the new notepad "app"
- Your old notepad application will be restored. It was never removed, and still lurks quietly in the C:\Windows\System32 folder.
Re: (Score:2)
Dave Plummer did that recently in one of his videos [youtube.com]. He essentially had Claude re-write NotePad to have features identical to the one in XP, and called it RetroPad
Notepad? (Score:2)
"standard" (Score:1)
> the company did not explain why it chose a prompt over blocking non-standard links entirely
These *are* standard links.