Notepad, New Attack Vector?

Notepad, a Windows staple app that’s as indispensable as Paint, has a bug that can apparently be used by attackers to run remote code. Should we be worried? Is it a threat of a false-positive? Perhaps we should be worried. Microsoft has made announcements regarding the deprecation of longtime useful apps such as Paint given sufficient reason. Like Paint and Calculator, Notepad is the most basic, easiest to remember text editor out there.

Microsoft has been pushing OneNote and Sticky Notes as replacements but Notepad persists. There’s really no need to take it out given the insignificant amount of space the app takes up compared to the amount of useless bloat Windows has accumulated over the years. But thankfully, Notepad has received some good updates just last year and may not go away anytime soon unless, malware.

“Am I the first person to pop a shell in notepad?” He followed with, “This is a real memory corruption exploit, I’ve reported it to MSRC (Microsoft Security Response Center). Surprising number of people replied thinking I was just right clicking stuff…. I said ‘it’s a real bug’ 😆 It took me all weekend to find good CFG (Control Flow Guard) gadgets, just showing off… All I can say it’s a serious security bug, and we’ve given Microsoft up to 90 days to address it (as we do with all the vulns we report). That’s all I can share,”

–Tavis Ormandy, Researcher, Google Project Zero, via Twitter

According to Ormandy, Notepad has a memory corruption flaw that can be used to ‘pop a shell’ or open a command prompt. It can be unsettling especially given the all-controlling nature a shell with administrative privileges. Seeing apps briefly open a black screen or two makes me uneasy, even the trusted ones. So he probably has something here.

“Notepad is exposing so little of an attack surface it’s notable that it is still enough to give an attacker the ability to run arbitrary code… That’s not to say that given the little amount of what Notepad does there isn’t room for something to go wrong… Is this a benign thing? Or is this a real threat? Well, you have to ask yourself can an attacker cause Notepad to be launched, and to cause it to parse one of these files. Because if you can’t get to a specific application, it doesn’t matter if there’s a bug there… But today, post IE mitigations, there is no way to launch Notepad on a system unless you’re sitting at the computer,”

–Dan Kaminsky, Chief Scientist, White Ops

It’s a slight comfort that Mr. Kaminsky’s downplay of the Notepad exploit could be true but stranger things have happened right down to the processor level. Microsoft has less than 90 days to patch this problem, unless they get sentimental. Who knows how long it’s been there?