Skip to main content
  1. Home
  2. Computing
  3. News

Notepad has a major security flaw that leaves Windows PCs vulnerable to hackers

By
Microsoft Surface laptop
Microsoft Image Gallery/Microsoft

A new security flaw has been discovered in one of the Windows operating system’s simplest apps: Notepad.

According to TechRadar, a security researcher has recently discovered a major vulnerability in Windows PCs involving Microsoft’s most basic text editor. The Notepad security flaw, as discovered by Google Project Zero security researcher Tavis Ormandy, could be exploited to let hackers take over whole computers “simply by loading some malicious code using Notepad.” And this particular flaw may affect PCs running versions of Windows as early as Windows XP.

Recommended Videos

The flaw itself, as TechRadar notes, involves taking advantage of a weakness in the Windows Text Services Framework. (This framework deals with things like text inputs, text processing, and keyboard layouts.) Within this framework is the source of the security flaw itself, a component known as CTextFramework. And as The Register reports, this component has its own security flaws that ultimately render it vulnerable to being hacked “via applications that interact with it to handle text on screen.”

Related

Furthermore, TechRadar notes that Ormandy’s investigation into the Notepad flaw essentially found that the system’s security protocols “can be easily bypassed” and could allow hackers to not only increase their access privileges but also “gain access to multiple systems across the victim’s device.”  Ormandy’s blog post on the matter further described the extent of the CTextFramework vulnerability:

“Firstly, there is no access control whatsoever! Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications – even privileged applications – to connect to you. Even when working as intended, CTF could allow escaping from sandboxes and escalating privileges.”

According to TechRadar and ZDNet, Microsoft has released a patch for this flaw, which is officially known as CVE-2019-1162. This patch was released on Tuesday, August 13, as part of Microsoft’s monthly release of security updates known as Patch Tuesday. ZDNet reports that the August 2019 edition of Patch Tuesday included patches for a total of 93 security flaws.

Editors’ Recommendations

Topics
Anita George
Anita George
Computing Writer
Anita George has been writing for Digital Trends' Computing section since 2018. So for almost six years, Anita has written…
It only took 41 years, but Notepad just got its most important update ever
The Notepad app on Windows 11.

After 41 years of being part of Windows, Notepad has finally been updated by Microsoft with two essential features: autocorrect and spellcheck. Given how prevalent spellcheck is across any app where you can enter text, you could be forgiven for thinking that Notepad already had the feature, but it was just added to the app available in Windows 11.

Microsoft originally announced the addition in March, and it began rolling out spellcheck in Notepad to Windows Insiders the following month. Over the past few days, the wider Windows 11 install base has received the update. You probably never noticed it -- I checked out Notepad on my PC and saw spellcheck was enabled, and I haven't seen a peep from Windows Update.

Read more
The next big Windows 11 update has a new hardware requirement
Windows 11 device sitting on a stool.

Microsoft’s upcoming Windows 11 24H2 update is expected to arrive with yet another hardware requirement. Centered around SSE4.2 or Streaming SIMD Extensions 4.2, a crucial component for modern processors, the new Windows 11 24H2 with build 26080 will only boot on CPUs that support the instruction set.

This information comes from Bob Pony on X (previously known as Twitter), following earlier reports in February where he claimed that CPUs lacking support for the POPCNT instruction were no longer compatible with Windows 11. The updated requirement is essentially the same, except that they now mandate the entire SSE 4.2 instruction set instead of just the POPCNT instruction within it, as was previously required.

Read more
7 beloved Windows apps that Microsoft has killed over the years
A screenshot of Internet Explorer 9.

Microsoft's history is littered with the discontinuation of once-beloved applications. Most recently, WordPad, the renowned text editor app, was conspicuously absent from the latest beta build of Windows 11, indicating an end to its 28-year-long journey. I have fond memories of using the app back in my college days when Microsoft Office was too pricey for me.

WordPad is far from the only app to get canceled by Microsoft over the years. From pioneering productivity tools to nostalgic multimedia players, let's reminisce about some of the most famous applications that Microsoft has consigned to the annals of tech history.
Internet Explorer

Read more