So what this means is every Windows program is now a cve nightmare (or goldmine, depending on view)?
a96•Feb 11, 2026
Always has been.
veltas•Feb 11, 2026
Yeah the other day in calc.exe I pressed F7 in programmer mode to change to octal (F5 to F8 select Hex, Dec, Oct, Bin), and instead it asked if I was sure I wanted to enable caret browsing.
balazspapp•Feb 11, 2026
I've found calc's currency converter feature frightening.
ddtaylor•Feb 11, 2026
Oof. That's a special kind of stupid. I get how it happened, but like, they found a way to make calc bad while also bringing an obscure feature in modern browsers I hate with a passion.
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
BLKNSLVR•Feb 11, 2026
One of the last straws that got me to migrate to Linux was how long it would take for calc.exe to open in Windows 10. Even on much older computers and much older version of Windows it was instant. Suddenly in the mid-2010's the calculator is so bloated you have to wait a few seconds for it to load? Fuck off.
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
dark-star•Feb 11, 2026
Yeah, clicking unverified links in a markdown document to launch an executable....
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
bayindirh•Feb 11, 2026
Notepad was the epitome of a single, well functioning app in Windows for the last eternity of two.
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
muvlon•Feb 11, 2026
What other markdown viewers or editors support URL schemes that just execute code? And not in a browser sandbox but in the same security context notepad itself is running in.
mananaysiempre•Feb 11, 2026
Funnily enough, the core Windows API here that brings with it support for every URL scheme under the sun is plain old ShellExecute() from the mid-90s IE-in-the-shell era when such support was thought reasonable. (I actually still think it’s reasonable, just not with the OS architectures we have now or had then.)
tosti•Feb 11, 2026
Clicking an unknown link shouldn't result in compromise. Fortunately, MS-Windows disallows running anything not vetted by MS unless you figure out how to bypass the "SmartScreen" filter. This filter is super annoying to many a techie or gamer, but for MS-Windows refusing to run "unknown" programs is a feature, not a bug.
So yes, MS will likely denounce this as not their problem and move on.
yrro•Feb 11, 2026
This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.
tosti•Feb 11, 2026
Funny that since the IE engine was plastered all over the place. Only 98lite could avoid it.
dark-star•Feb 11, 2026
so if you download a random EXE in your browser and run that, it can not result in compromise?
xxs•Feb 11, 2026
clicking links should not be a security issue and yes the CVE is totally deserved: that's remote code execution.
mrweasel•Feb 11, 2026
Even if you want to Notepad have clickable links, maybe not allow it to blindly allow every URL scheme known to man. It seems reasonable to limit it to do http/https and MAYBE mailto.
somat•Feb 11, 2026
I want to complain about the terminology used. It is probably just me, but RCE implies no user action required. It is a stupid, bad error yes, but because it requires the user to load a payload file and click on a link I would not really categorize it as a "remote" code execution type vulnerability.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
Aachen•Feb 11, 2026
Yes, that is the definition consistent with historical use of "RCE": a component is accessible in such a way that it is remotely reachable and you can get full code execution access on the machine via that bug (subject to whatever limits the process has within the OS, such as running as a certain user ID or seccomp or such). This attack is less like an RCE in a networked web server and more like bad file parsing in a PDF reader
Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)
I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation
__bax•Feb 11, 2026
Just now Notepad integrates very useful copilot assistant... What can go wrong
g947o•Feb 11, 2026
To be fair this has more to do with Markdown than anything else.
Although I approve of neither feature. notepad should stick with what it does well.
bstsb•Feb 11, 2026
i imagine it’s probably something to do with the massive scope creep recently, especially with AI and the Markdown features - they’ve tried to fit some of WordPad’s rich text features following its removal
reddalo•Feb 11, 2026
I miss when the Notepad was doing what the Notepad is supposed to do: show a text file, plain and simple.
tosti•Feb 11, 2026
This was already better when the latest from MS was still called "* XP":
I used to overwrite c:\windows\notepad.exe with Metapad. At some point Windows security made this a pain though!
xnorswap•Feb 11, 2026
Wow that's a hit of nostalgia, I'd completely forgotten about metapad, but I loved it back in the day.
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
barosl•Feb 11, 2026
Oh wow, yes I remember now, I used to type `Alt+F` and then `S` immediately because Notepad didn't support `Ctrl+S` back then. Thanks for giving me nostalgia!
BLKNSLVR•Feb 11, 2026
I've still got the very fast muscle memory of "Alt-F S", I used to do it habitually in Word and Excel. Still do it occasionally, then having to then undo whatever it does now (luckily it's usually nothing), but sometimes it leaves the Alt press 'open' so the next letter I press does something unpredictable.
tosti•Feb 11, 2026
The menu should be closeable with escape according to IBM CUA IIRC
Borg3•Feb 11, 2026
Haha, yeah.. Im using Notepad2 actually, because for LOOONG time, notepad.exe could not display LF files correctly... and Notepad2 has a bit more features, but still.. clean and lean.
rmunn•Feb 11, 2026
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files."
I didn't even know Notepad would render Markdown.
ddtaylor•Feb 11, 2026
Torture will continue until morale improves
TZubiri•Feb 11, 2026
I think it's very recent, I use it almost daily and only last week did I see a markdown file being rendered.
krater23•Feb 11, 2026
These kind of surprises are the reason why we should switch off auto update on every software.
BLKNSLVR•Feb 11, 2026
Notepad rendering other formats removes one of the specific reasons I use notepad: to strip the stupid formatting that all sorts of applications seem to want to attach to text these days.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
contextfree•Feb 11, 2026
Windows now has buttons in win-v (the clipboard helper popup) for this
powersurge360•Feb 11, 2026
I don’t know if it works for windows but on other operating systems if you hold shift while pasting it strips the special formatting. I don’t have a windows machine readily available but I hope even if it doesn’t work there this will be useful to other people reading the comment. I agree though. Basically the only format I ever want to keep is _sometimes_ the link with text. And even then usually not the exact coloring/indicators.
icegreentea2•Feb 11, 2026
You can still do this in W11 notepad. Firstly, there's a global setting for having formatting/markdown being enabled at all, and secondly it only does the rendering for .md files. Finally, while formatting is enabled, and editting a markdown file, you have the option to toggle between formatted and "syntax" view (ie raw text).
eviks•Feb 11, 2026
What AI great job!
jfaganel99•Feb 11, 2026
Notepad had one job... Seems like bringing markdown features killed it :)
szszrk•Feb 11, 2026
Markdown? They shoved copilot into it.
jfaganel99•Feb 11, 2026
Yeah, way more than the good old Notepad :)
TiredOfLife•Feb 11, 2026
copilot has nothing to do with this vulnerability
latexr•Feb 11, 2026
Something felt off about your comments, so I checked your account. You signed up almost six years ago, and in all that time made zero submissions and your only comments are these two on this thread? I’ve been seeing this more and more on HN. What exactly is going on here?
And decided to jump in on some threads just as well.
latexr•Feb 11, 2026
That post happened six hours after the comments. Doesn’t seem plausible they logged in to do it then got distracted.
netsharc•Feb 11, 2026
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
fhd2•Feb 11, 2026
> Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
LiamPowell•Feb 11, 2026
It's in fact the opposite. Browsers show a popup that asks if you really intended to click a link with a non http/https handler, notepad does not.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
fhd2•Feb 11, 2026
Ah, got it. Very different from where I suspected the issue then.
Fiveplus•Feb 11, 2026
We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
consp•Feb 11, 2026
> viewing data is a fundamental failure of the principle of least privilege.
I read the cwe not cve, was wrong. It's still early in the morning...
seritools•Feb 11, 2026
You are mistaken:
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
mwalser•Feb 11, 2026
> If I read it correctly (but could be mistaken), it runs with setuid root
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
dijit•Feb 11, 2026
People very often run notepad as administrator (anything launched from administrative powershell instances will run like this).
In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default)
And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files.
patates•Feb 11, 2026
> And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS.
MarleTangible•Feb 11, 2026
> Regardless, notepad is a very trusted application and is often run as Administrator.
Sorry to say this, but Notepad was a very trusted application now. I cannot believe that such a core utility has a 8.8 CVE, it sounds like a joke tbh.
dijit•Feb 11, 2026
A totally valid modification to the statement I made.
These are sad times.
cafebabbe•Feb 11, 2026
Question is, did they even realize they added a network-aware rendering stack...
autoexec•Feb 11, 2026
Is it giving MS too much credit to suggest that they probably didn't just vibe code their new notepad?
hennell•Feb 11, 2026
A utility meant for viewing data? I don't think you understand what a text editor is.
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
ntoskrnl_exe•Feb 11, 2026
I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat.
AnonymousPlanet•Feb 11, 2026
I'm not sure if we should use "gold standard" together with the little piece of garbage that notepad.exe was for most of its existence. It has been the bane for anyone who had to do work on locked down Windows servers and had to, e.g., edit files with modern encodings. They fixed some of it in the meantime, but the bitter taste remains.
iugtmkbdfil834•Feb 11, 2026
You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh.
ceving•Feb 11, 2026
They should have called it Emacs. Then everybody would have known.
weinzierl•Feb 11, 2026
"For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text."
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
jama211•Feb 11, 2026
Fascinating reading about that bug, thanks for sharing
direwolf20•Feb 11, 2026
It's not solved, we just don't have to guess the encoding any more because it's always UTF-8.
I am pretty sure it's possible to fix that entire category of bugs without introducing RCE vulnerabilities.
reyqn•Feb 11, 2026
Embarrassing bugs are not RCEs. Also the industry should be more mature now, not less. But move fast and break things, I guess...
sph•Feb 11, 2026
We have reached peak software stability, it's all gonna be downhill from here.
fwgijcqywqeo•Feb 11, 2026
We are living in the future!
cookiengineer•Feb 11, 2026
Peak software stability was Windows 7, that's why it's still used in industrial environments.
trinix912•Feb 11, 2026
Funny how back then people claimed peak stability was Windows 2000. 10 years from now people will look at Windows 10 and claim that was peak stability.
croes•Feb 11, 2026
> Now this is a solved problem
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
nuancebydefault•Feb 11, 2026
To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful.
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
egeozcan•Feb 11, 2026
> unless... you understood Chinese and the alternative text would manage to persuade you to do something harmful
Oh, here is the file I just saved... I see that it now tells me to rob a bank and donate the money to some random cult I'm just learning about.
Let me make a web search to understand how to contact the cult leader and proceed with my plan!
(luckily LLMs were not a thing back then :) )
dspillett•Feb 11, 2026
> nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
josephg•Feb 11, 2026
> to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM
Ah so that’s the trick! I’ve run into this problem a bunch of times in the wild, where some script emits csv which works on the developers machine but fails strangely with real world data.
Good to know there’s a simple solution. I hope I remember your comment next time I see this!
silon42•Feb 11, 2026
Excel CSV is broken anyway, since in some (EU, ...) countries it needs ; as separator.
OptionOfT•Feb 11, 2026
That's not an excel issue. That's a locale issue.
Due to (parts of?) the EU using then comma as the decimal separator, you have to use another symbol to separate your values.
dspillett•Feb 11, 2026
Comma for decimal separator, and point (or sometimes 'postraphy) for thousands separator if there is one, is very common. IIRC more European countries use that than don't, officially, and a bunch of countries outside Europe do too.
It wouldn't normally necessitate not using comma as the field separator in CSV files though, wrapping those values is quotes is how that would usually be handled in my experience.
Though many people end up switching to “our way”, despite their normal locale preferences, because of compatibility issues they encounter otherwise with US/UK software written naively.
anthk•Feb 11, 2026
Locales should have died long ago. You use plain data, stop parsing it depdending on wen your live. Plan9/9front uses where right long ago. Just use Unicode everywhere, use context-free units for money.
dspillett•Feb 11, 2026
Locales are fine for display, but yes they should not affect what goes into files for transfer. There have always been appropriate control characters in the common character sets, in ASCII and most 8-bit codepages there are non-printing control characters that have suitable meanings to be used in place of commas and EOL so they could be used unescaped in data fields. Numbers could be plain, perhaps with the dot still as a standard decimal point or we could store non-integers as a pair of ints (value and scale), dates in an unambiguous format (something like one of the options from ISO8601), etc.
Unfortunately people like CSV to be at least part way human-readable, which means readable delimiters, end-or-record markers being EOLs that a text editor would understand, and the decimal/thousand/currency symbols & date formatting that they are used to.
dspillett•Feb 11, 2026
A lot of the time when people say CSV they mean “character separated values” rather than specifically “comma separated values”.
In the text files we get from clients we sometimes see tab used instead of comma, or pipe. I don't think we've seen semicolon yet, though our standard file interpreter would quietly cope¹ as long as there is nothing really odd in the header row.
--------
[1] it uses the heuristic “the most common non-alpha-numeric non-space non-quote character found in the header row” to detect the separator used if it isn't explicitly told what to expect
7bit•Feb 11, 2026
The very fact that UTF-8 itself discouraged from using the BOM is just so alien to me. I understand they want it to be the last encoding and therefore not in need of a explicit indicator, but as it currently IS NOT the only encoding that is used, it makes is just so difficult to understand if I'm reading any of the weird ASCII derivatives or actual Unicode.
It's maddening and it's frustrating. The US doesn't have any of these issues, but in Europe, that's a complete mess!
capitainenemo•Feb 11, 2026
From wikipedia...
UTF-8 always has the same byte order,[5] so its only use in UTF-8 is to signal at the start that the text stream is encoded in UTF-8...
Not using a BOM allows text to be backwards-compatible with software designed for extended ASCII. For instance many programming languages permit non-ASCII bytes in string literals but not at the start of the file. ...
A BOM is unnecessary for detecting UTF-8 encoding. UTF-8 is a sparse encoding: a large fraction of possible byte combinations do not result in valid UTF-8 text.
That last one is a weaker point but it is true that with CSV a BOM is more likely to do harm, than good.
g-b-r•Feb 11, 2026
Indeed, I've been using the BOM in all my text files for maybe decades now, those who wrote the recommendation are clearly from an English country
dspillett•Feb 11, 2026
> are clearly from an English country
One particular English-speaking country… The UK has issues with ASCII too, as our currently symbol (£) is not included. Not nearly as much trouble as non-English languages due to the lack of accents & such that they need, but we are still affected.
dspillett•Feb 11, 2026
> The US doesn't have any of these issues
I think you mean “the US chooses to completely ignore these issues and gets away with it because they defined the basic standard that is used, ASCII, way-back-when, and didn't foresee it becoming an international thing so didn't think about anyone else” :)
bsza•Feb 11, 2026
There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money.
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
usrbinbash•Feb 11, 2026
As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
MarleTangible•Feb 11, 2026
They also wanted to use the popularity of Notepad, so they replaced it with an AI bloatware version instead of creating a new app with extra features.
delecti•Feb 11, 2026
They didn't need to create a new app. At the same time that they started adding LLM garbage to Notepad, they discontinued WordPad.
They likely knew nobody would be drawn to WordPad by the additions, so they had to scavenge their rapidly diminishing list of actually useful software for sacrifices on the altar to their outrageous AI investments.
Ntrails•Feb 11, 2026
How long were they threatening to kill snipping tool despite it being a perfectly serviceable piece of kit so we could switch to some shitty alternative?
d3Xt3r•Feb 11, 2026
They did ultimately kill it though - and then they re-created it as a bloated UWP version that is an insane 449 MEGABYTES in size! The old win32 Snipping Tool used to be only a few kilobytes...
breppp•Feb 11, 2026
> Except no, we don't. notepad.exe was DONE SOFTWARE
While 8.8 score is embarrassing, by no measure notepad was done software. It couldn't load a large text file for one, its search was barely functional, had funky issues with encoding, etc.
Notepad++ is closer to what should be expected from an OS basic text editor
bsza•Feb 11, 2026
What counts as "large"? I'm pretty sure at some point in my life I'd opened the entirety of Moby Dick in Notepad. Unless you want to look for text in a binary file (which Notepad definitely isn't for) I doubt you'll run into that problem too often.
Also, I hope the irony of you citing Notepad++ [1] as what Notepad should aim to be isn't lost on you. My point being, these kinds of vulnerabilities shouldn't exist in a fucking text editor.
Remote into a machine that you're not allowed to copy data out of. You only have the utilities baked into Windows and whatever the validated CI/CD process put there. You need to open a log file that has ballooned to at least several hundred megabytes, maybe more.
Moby Dick is about 1MB of text. That's really not much compared to a lot of log files on pretty hot servers.
I do agree though, if we're going to be complaining about how a text editor could have security issues and pointing to Notepad++ as an example otherwise, its had its own share of notable vulnerabilities even before this update hijacking. CVE-2017-8803 had a code execution vulnerability on just opening a malicious file, this at least requires you to click the rendered link in a markdown file.
bsza•Feb 11, 2026
Oh right, generated files exist. Though logging systems usually have a rollover file size you can configure, should this happen to you in real life.
Honestly I'm okay with having to resort to power tools for these edge cases. Notepad is more for the average user who is less likely to run into 100 MB text files and more likely to run into a 2 kB text file someone shared on Discord.
vel0city•Feb 11, 2026
> Though logging systems usually have a rollover file size you can configure, should this happen to you in real life
I get what you're saying. But if things were done right I probably wouldn't have to be remoting into this box to hunt for a log file that wasn't properly being shipped to some other centralized logging platform.
breppp•Feb 11, 2026
I know about the vulnerabilities in notepad++, however I was referring to the feature set.
Regarding large, I am referring to log files for example. I think the issue was lack of use of memory mapped files, which meant the entire file was loaded to RAM always, often giving the frozen window experience
vbezhenar•Feb 11, 2026
notepad.exe worked just fine.
Notepad++ is a monster software.
Romario77•Feb 11, 2026
Notepad++ might be too much for a simple utility.
Plus for many years Word was one of the main cash cows for MS, so they didn't want to make an editor that would take away from Word.
And you could see how adding new things adds vulnerabilities. In this case they added ability to see/render markdown and with markdown they render links, which in this case allowed executing remote code when user clicks on a link.
breppp•Feb 11, 2026
> Plus for many years Word was one of the main cash cows for MS, so they didn't want to make an editor that would take away from Word.
Wordpad was the bundled rich text editor and was also a mess
I don't think an improved notepad could have cannibalized Word
mghackerlady•Feb 11, 2026
For a good built in "done" text editor, theres apples textedit. It's barely changed since NeXTSTEP and works flawlessly and is FOSS. As much as I hate apple there's a reason I have GNUstep installed on most of my *nix boxes
Aachen•Feb 11, 2026
I would agree if it were RCE
This definition in the first paragraph on Wikipedia matches my understanding of it as a security consultant:
> The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). --https://en.wikipedia.org/wiki/Arbitrary_code_execution
Issues in handling local files, whether they require user interaction or not, are just that
Doesn't take away from the absurdity that notepad isn't a notepad but does extensive file contents parsing
keepamovin•Feb 11, 2026
I couldn't agree more. A text editor exposing an attack surface via a network stack is precisely the kind of bloat that makes modern computing ultra-fragile.
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
For the built-in web-browser instance it likely contains by now.
daemoncoder•Feb 11, 2026
Ability to handle email coming soon.
autoexec•Feb 11, 2026
But can it play MP3s?
MonkeyClub•Feb 11, 2026
I'm sure eventually it will, it's law:
Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
oblio•Feb 11, 2026
> Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
Every text editor, including Emacs [...].
anthk•Feb 11, 2026
Emacs has EMMS for music, reusing mpg123/mpv/ffplay and the like, but it can emulate Vim well enough too ;)
Altough now I'm using 9front, Sam and Acme. I feel myself weird not using the keyboard but at least I understood structural expressions for Sam/Acme really fast, first with 'Vis' and next under Acme. Oh, Acme can do mail and news and a bunch more... because it has I/O since the beginning, you can plug anything into it, from commands to the text buffer to sockets. Even a crude HN client if you dare.
xaldir•Feb 11, 2026
No, no, no, Emacs is a pretty good operating system, it just lacks a good text editor.
nicoburns•Feb 11, 2026
Looks like it's using it for encryption.
keepamovin•Feb 11, 2026
Encryption at rest (AES-GCM).
To meet FIPS 140-3, I can't roll my own crypto; I have to use a validated module.
I actually only link OpenSSL on Linux, and then only if it's in FIPS-mode. On Windows (CNG) and macOS (CoreCrypto), I use the native OS primitives to avoid the dependency and keep the binary small.
usrbinbash•Feb 11, 2026
Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer.
keepamovin•Feb 11, 2026
That is completely valid for personal threat models, I rely on LUKS/BitLocker for my daily driver too.
The specific gap this fills is 'Defense in Depth' + compliance. OS-level encryption (like FDE) is transparent once you log in. If you walk away from an unlocked machine, FDE does nothing.
App-level encryption, however, ensures the specific sensitive notes remain encrypted on disk even while the OS is running and the user is authenticated.
It's also portable as it allows the encrypted blob to be moved across untrusted transports (email, USB, cloud) without needing to set up an encrypted container/volume on the destination.
For FIPS/NIST workflows, relying solely on the OS often isn't enough for the auditor; having the application control the keys explicitly satisfies the 'data protection' control regardless of the underlying storage medium.
usrbinbash•Feb 11, 2026
> If you walk away from an unlocked machine
...then I might as well ask what happens when I walk away from the encrypting edior while a file is still open. User Error can happen with any encryption or security schema. Pointing out a trueism is not an argument.
> It's also portable
So is encrypting files using a specialized tool. I don't need my editor to do this. The entire point of my criticism, and indeed the entire point of this thread, is that software that should focus on a narrow task, tries to do way too much, leading to problems.
dataflow•Feb 11, 2026
For what it's worth I understood the argument and think it is valid. It's one thing for the file you're working on to be vulnerable if you walk away leaving the editor open; it's another for all of your other files to be vulnerable too. It's O(1) vs. O(n). The difference is clearly not zero.
joshuaissac•Feb 11, 2026
> FIPS-compliant bindings (OpenSSL)
Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.
The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.
fuzzzerd•Feb 11, 2026
While I think this is good advice, the fact that it's true feels backward to me. "We have a legal or contractual obligation to be less secure than we otherwise would be." Just seems silly.
tristor•Feb 11, 2026
Welcome to the reality of most of the "information security" business, which is mostly just compliance by checkbox. A significant proportion of encrypted Internet traffic that is transiting government agencies or major enterprises gets decrypted in flight for inspection, literally inserting a black-box with privileged MITM capabilities into otherwise secure protocols, purely for the purpose of checking a compliance box, and that's not even the worst sin.
There's no insecurity like compliant cybersecurity :)
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
autoexec•Feb 11, 2026
EDIT.COM still works in dosbox
ganzsz•Feb 11, 2026
Edit is ported to win11 and edit(.exe) should work in your shell of choice.
But... did they add a http server in it? Mail reader?
naikrovek•Feb 11, 2026
no, and the person at Microsoft that wrote it is adamant about keeping it as an editor only.
nottorp•Feb 11, 2026
Management: add "AI" or we'll fire you and give the project to one who will.
suprfsat•Feb 11, 2026
Rewrote it in Rust
tormeh•Feb 11, 2026
That explains why it's so nice. Well, not really, but it does hint at it being new and built by someone who gives a damn. It's honestly far nicer for my use than vi or nano, which is annoying since I'm on Linux.
Edit: Fedora has it available as "msedit". What a time to be alive.
MonkeyClub•Feb 11, 2026
> the purity of "working with what's installed".
Oh, a kindred spirit!
I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.
(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)
ygra•Feb 11, 2026
> Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?
Even with MSBuild 4. From the days when .NET Framework was an OS component and also the build tools (until Roslyn) were part of the Framework.
sneak•Feb 11, 2026
Not having one’s configuration present is kneecapping yourself needlessly.
If you’re going to have a custom config, you might as well have a custom executable.
TZubiri•Feb 11, 2026
Oh but we have our configuration, it's all in the defaults baby. And what isn't like locking down /home/user permissions and increasing bash_history sizes, I keep it small and configurable in less than 2 minutes. (And server side only, which always requires more setup.
Not saying that spending the first days on a new project configuring your custom setup with the company's stack is bad, especially if you are categorizing as employee and are looking for a multi year long run. But I tend to do small contracts, 1 to 6 months, and starting right away is a nice boost.
chrisjj•Feb 11, 2026
> Did you know Windows comes with a bare bones C# 5 toolchain
Shh, please. If MS find out, they'll add a parrot to "improve" it.
TZubiri•Feb 11, 2026
I played with the preinstalled languages in windows before, but the legacy stuff dizzied me before llms existed.
now that llms exist I am learning with dotnet, that now comes with windows, (or at least it comes with winget, and you can install a lot of kosher software, which is almost as good as having it preinstalled.)
If I ever hop onto an older machine I'll use the gpt to see what I get, i recall there's vbscript, apparently a .net compiler+runtime, and I saw a js interpreter in very old OS too.
A big inspiration in this realm is FogBugz historical "Wasabi". Their idea of compiling to PHP and c# i think it was, because it's what most OS come with, and their corpo clients can use it as it. It's in a joel spolsky blog post somewhere.
BLKNSLVR•Feb 11, 2026
I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on.
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
mghackerlady•Feb 11, 2026
You can do that (probably even better) on linux with a Live Usb. I have a fedora one on my keychain since it has firefox and libreoffice included by default
oblio•Feb 11, 2026
> This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
What's your day job? Are you self employed?
funnybeam•Feb 11, 2026
Except it keeps reverting to the new notepad every few days….
I’ve been fighting this for the last couple of weeks but it just doesn’t stick
TZubiri•Feb 11, 2026
Did you bring out the big guns? Regedit.exe
Baerbeisser•Feb 11, 2026
There's still old tiny Metapad. And also more modern and fully featured (but still light) Notepad 2/3/4 and Notepad++.
For full replacement, i just renamed all instances to notepad.exe.bak, back then on Windows 7 & 10, and rename-replaced it with metapad.exe. Though, i guess with UWP apps (modern Notepad is one), it's just file associations nowadays. There's surely some mass-reassociate utility around?
Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)
amlib•Feb 11, 2026
If he learns vim... gasp ...he will be cursed with having to install vim in every machine he touches for the rest of his life! :)
TZubiri•Feb 11, 2026
It usually comes with linux, but nano is simpler and it doesn't teach you by holding you hostage until you learn :q!
kgwxd•Feb 11, 2026
The day calculator brought me to an MS Store login was the day I became a radical.
cube00•Feb 11, 2026
Mine was when they asked me to rate the calculator on the store.
encom•Feb 11, 2026
The calculator on my Pixel phone has a privacy policy. I want to get off this ride.
> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
sneak•Feb 11, 2026
It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”.
cyanydeez•Feb 11, 2026
Microsoft is driving AI adoption. Why blame tge workers for this?
throwpoaster•Feb 11, 2026
Microsoft is comprised of its workers.
jdsampayo•Feb 11, 2026
All workers are equal, but some workers are more equal than others
stalfosknight•Feb 11, 2026
I have been thinking about this Animal Farm quote a lot recently.
wormpilled•Feb 11, 2026
Why can't Indian software developers stand up for themselves and say no?
onion2k•Feb 11, 2026
Because there are plenty of developers who'll say yes, so anyone saying no is putting their ethics ahead of their livelihood. Few people will be willing to put their beliefs ahead of providing for their family.
It's easy to say you will, and very hard to actually do it.
eterm•Feb 11, 2026
That's what ethics are. If you don't make sacrifices for them they aren't ethics they're just conveniences.
trinix912•Feb 11, 2026
This is easy to say until you're an immigrant worker in a foreign country - something one probably worked for their entire life up to that point - risking it all (and potentially wrecking the life of their entire family) just to stop some random utility from having a Copilot button. It's not "this software will be used to kill people", it's more like "there's this extra toolbar which nobody uses".
In life you have to choose your battles.
xantronix•Feb 11, 2026
I hadn't made more solid connections between the current state of software and industry, the subjugation of immigrants, and the death of the American neoliberal order until this comment thread but it here it lies bare, naked, and essentially impossible to ignore. With regards to the whole picture, there's no good or moral place to "RETVRN" to in a nostalgic sense. The one question that keeps ringing through my head as I see the world in constant upheaval, and my one refuge in meaning, technical craftsmanship, tumbling, is: Why did I not see this coming?
optymizer•Feb 11, 2026
"why won't other people make sacrifices for me?"
Because the society in US is arranged as a competition with no safety net and where your employer has a disproportionate amount of influence on your well being and the happiness of your kids.
I'm not going to give up $1M in total comp and excellent insurance for my family because you and I don't like where AI is going.
appreciatorBus•Feb 11, 2026
Just having the option of giving up $1 million in compensation put one far far far above meaningful worries about your well-being and the happiness of your kids.
optymizer•Feb 11, 2026
Not really. We would have to downsize our life.
I'll have to explain it to the wife: "well, you see, we cant live in this house anymore because AI in Notepad was just too much".
I'll dial up my ethical and moral stance on software up to 11 when I see a proper social safety net in this country, with free healthcare and free education.
And if we cant all agree on having even those vital things for free, then relying on collective agreement on software issues will never work in practice so my sacrifice would be for nothing. I would just end up being the dumb idealist.
appreciatorBus•Feb 11, 2026
You can say exactly the same thing about the management and the shareholders. If they say no, someone else will say yes, so why blame them?
optymizer•Feb 11, 2026
Your solution for us to all agree to do the same thing is not realistic for the same reason that recycling doesn't really work, why we have a myriad of programming languages and similar but incompatible hardware, etc.
There is always someone who will take advantage of the prisoners dilemma.
onion2k•Feb 11, 2026
They make the decision about what to say yes to. They can choose to do something else without it impacting their individual circumstances.
mghackerlady•Feb 11, 2026
It's a cultural thing. They'd much rather do what they think someone means than question authority
vachina•Feb 11, 2026
Hard to say no to paycheck
whatsupdog•Feb 11, 2026
Unjustified downvoting. You absolutely have a point. Not just software, also the gazillion UI/UX designers. They keep moving things around and changing colors and fucking things up just to justify their salaries. Case in point: Google maps. It was perfect 15 years ago. We don't need vomit inducing color changes every 2 years
jahsome•Feb 11, 2026
And yet, if they were raising a Series A, they'd be lauded as "disruptors"
cameron_b•Feb 11, 2026
By some
Some of us were impressionable when Jurassic Park came out.
jahsome•Feb 11, 2026
The vast majority of hn commentors, I'd wager.
zerkten•Feb 11, 2026
Even if you talk to users, you can do it the wrong way. Big companies are incentivized by the stock market to care more about new users than existing ones because their only focus is growth. Growth can't be rooted in your existing users is a common feeling in product management circles. If you try to do things for people other than your existing users, then you end up doing odd stuff that at best is a mild annoyance. More likely you hurt their ability to continue using the app.
wlesieutre•Feb 11, 2026
Exemplified by every website with a massive SIGN UP button and then a little 8 pt font log in tucked away somewhere underneath.
Gee thanks for helping me find the button I'll use literally once and making me hunt for the one I'll need the other 99999 times I use this service.
Existing users can go fuck themselves as long as new people are registering. Line go up!
bradfitz•Feb 11, 2026
I can’t tell you how relieving it is to hear somebody else complain about this. This has been my pet peeve for ages.
ThrowawayB7•Feb 11, 2026
Individual developers or even developer management doesn't get much of a say in product direction at large corporations. The product management folks are who decide what features go in and when.
GuinansEyebrows•Feb 11, 2026
PMs have resumes too :)
- Successfully led key efforts to modernize aging platform technologies
- Directed integration of cutting-edge system-wide artificial intelligence functionality
ThrowawayB7•Feb 11, 2026
If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results.
vachina•Feb 11, 2026
AI is useful but these management type typically don’t know how to make it useful.
bigstrat2003•Feb 11, 2026
Now imagine that you are someone who doesn't even think AI is useful, and imagine just how much more infuriating it is to have it crammed in. Drives me up a wall.
FridgeSeal•Feb 11, 2026
That’s why they spend all their time on LinkedIn creating “7 levels of ai readiness” instead of…actually doing anything productive and useful.
est•Feb 11, 2026
I think they came up the the exact right answer like:
> How do I add more features to get a promotion
psychoslave•Feb 11, 2026
But can it generate qrcode already?
tombert•Feb 11, 2026
It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”.
addhochohoc•Feb 11, 2026
You goto go with the times man, goto write yourself a fulltime job with a legacy.
gruez•Feb 11, 2026
>At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)?
From MSRC:
>How could an attacker exploit this vulnerability?
>An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe
optymizer•Feb 11, 2026
That's why we have text editors, markdown viewers, image viewers, etc.
You were never able to "click a link" in Notepad in the past.
Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them.
Rohansi•Feb 11, 2026
I think there are more text editors around that render clickable links than there are that don't. Even your terminal probably renders clickable links.
Despite the scary words and score this wouldn't even be a vulnerability if people weren't so hard wired to click every link they see. It's not some URL parsing gone wrong triggering an RCE. Most likely they allowed something like file:// links which of course opens that file. Totally valid link, but the feature must be neutered to only http(s):// because people.
titzer•Feb 11, 2026
It'd be more hilarious if it weren't so sad. In just 10 years a disturbingly large number of huge development teams decided that making a GUI application using the old ways [1] was too hard and decided to ship an entire web engine (electron) to render 10 buttons.
[1] (native GUI widgets? agggh)
Rohansi•Feb 11, 2026
Which 10 buttons?
FridgeSeal•Feb 11, 2026
Large swathes of this industry have an obsession with investing 10x more resources into the wrong thing, than simply fixing the underlying issue.
JCattheATM•Feb 11, 2026
Things started going downhill when they added a Bing option to one of the menus, which was only very recently after they added support for *nix newlines. A very mishandled product, but then the whole OS has been mishandled since 10. Some would say 7.
numpad0•Feb 11, 2026
> At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
Everyone has to prove their worth by involving more people in ever embiggening trainwrecks every quarters in this day and age just to maintain employment, and without tangibly threatening anyone else's while at it. That's where the features are coming from. That's what needs to be fixed. Which also goes way beyond engineering.
lofaszvanitt•Feb 11, 2026
Now imagine that there are people who want to embed video players and image viewing in the terminal :D.
dgxyz•Feb 11, 2026
Seems whatever they do they step in shit. They should stop doing stuff.
They spent the last few years entirely compromising their products rather than improving them.
muragekibicho•Feb 11, 2026
Exactly my predicament. My laptop reached EOL but I'm struggling to purchase a new one.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
direwolf20•Feb 11, 2026
Install Linux
dgxyz•Feb 11, 2026
Yeah it sucks. Got an MBP here which was my refuge from Windows. That's gone to hell too.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
ddtaylor•Feb 11, 2026
Do you have a moment to talk about Linux?
w4yai•Feb 11, 2026
Half of my software don't work on Linux. My job also depends on running PE in a legitimate (read not Wine) environment - and I don't want to spend half of my RAM running VMs.
What should I do ?
dgxyz•Feb 11, 2026
I had that problem about 20 years ago. I changed the job. I know that's an extreme position but to be tied to a steaming pile of crap is a career risk. I've seen people go down with ships in that way before and it scared me.
sbt567•Feb 11, 2026
One day I'm trying a modified Windows (bloat stripped) from team-os. And the difference is night and day. My old laptop finally can run Windows 10!
I wonder though if there are more open and trusted modified Windows being developed out there because trying random modified Windows in team-os is not getting me some confidence
petepete•Feb 11, 2026
If you have to use Windows, just grit your teeth and use it.
Thankfully I don't.
ddtaylor•Feb 11, 2026
I think there is a difference between using Windows as something you need versus using it as your home base. I shudder at the idea of trying to "build a nest" with Windows. I'll go stay in someone elses crappy nest for a night or two, but I can't live like that.
skydhash•Feb 11, 2026
Multiple computers. I have an MBA for whenever I need to do a meeting or do online shopping. But my personal usage (95%) happens on openbsd. Work provides a MBP that only has work stuff and only opened between work hours.
ddtaylor•Feb 11, 2026
I know many people that access many different systems using remote desktop for this purpose.
I use qemu in a docker container for many Windows related things, partially because I don't want to keep a "real" Windows system running and partially because I don't want to let that OS run outside of a VM or container.
It depends on your security mindset and goals, but I think we're far into the world of VMs and containers all the way down.
With respect to memory, try it and see. Modern Linux is very good at memory management, since it powers the entire data center world. You can certainly overcommit memory with Docker containers easily without a problem.
LandR•Feb 11, 2026
As someone who would like to get a new PC (but a desktop) for coding, and is considering a mac, why would you never buy a mac for coding ?
I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.
muragekibicho•Feb 11, 2026
1. I like my laptops with USB ports and removable RAM and disk. I love computers and opening up a mac is a bad experience.
2. It costs an arm and a leg to replace parts on a Mac when you travel outside the United States. Replacing the keyboard on my first macbook cost the same as the actual price. I learnt my lesson. I don't need that Apple garbage in my life.
voidUpdate•Feb 11, 2026
I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too
cubefox•Feb 11, 2026
It needs far more features apparently. Tons more. That's why Notepad++ is popular. Which also had a severe security vulnerability recently. Which was actively exploited by some state actor like China.
leduyquang753•Feb 11, 2026
That recent Notepad++ incident was a supply chain attack, not a vulnerability in the original program.
SPICLK2•Feb 11, 2026
Strictly, no. But it was a vulnerability in the design of Notepad++, key elements here being the featureset that requires frequent updates and the lack of integrity checks during the upgrade process.
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
IsTom•Feb 11, 2026
> in the design of Notepad++
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
voidUpdate•Feb 11, 2026
You can if you use the windows store. It's just that you usually install things outside of that, unlike in linuxes where you generally use the package manager that can handle updates for you
delaminator•Feb 11, 2026
Plus Windows Store is not supported on all version of Windows particularly Datacenter versions - your most valuable assets !!
tracker1•Feb 11, 2026
You can jump through a couple hoops to get WinGet working in Windows Server environments without much issue. IIRC, there's a single PS1 script you can run to do it, followed by a reboot.
SPICLK2•Feb 11, 2026
I'm not sure who I trust less to handle package integrity, the 3rd party hosting provider that Notepad++ used, or Microsoft.
IsTom•Feb 11, 2026
A little tongue-in-cheek, but it's also an issue with windows, that it's owned by an untrustworthy company.
RobotToaster•Feb 11, 2026
Pretty sure winget does let you do that.
ampersandwhich•Feb 11, 2026
Recently, I was pleasantly surprised to discover that the Microsoft Store has a built-in CLI with that exact functionality. You just run `store updates` to check for updates to store-managed apps, and you can target specific items with `store update <update-id>`. Of course, there's also winget for non-store applications (`winget upgrade`). I find them pretty handy as I have become quite used to managing my Linux installations with pacman over the past year or so. I discovered the store CLI completely by accident. It's not widely advertised.
gchamonlive•Feb 11, 2026
I am driving an Ubuntu installation because it's what's my current employer mandates and coming from arch it feels like going back to Windows. Oh-my-zsh, opencode, gemini-cli, bun, pyenv, nvm... All installed with curl | bash which is not as bad as a .exe or .msi -- those are scripts you can still easily inspect -- but it's also bypassing the pkg manager.
But I guess that's what you get when you fragment your ecosystem in apt, snap and gnome extension manager. I need to master nix asap.
tracker1•Feb 11, 2026
You mean like WinGet? or the Windows Store?
conductr•Feb 11, 2026
The OS provided option can be bare bones, stable, secure and just utilitarian. This promotes having people choose their own tools for the features they want and not really expecting much other than reliability from the OS version. They didn’t need to mess with a good thing.
Ok, tabs, I do like the tabs.
mdavid626•Feb 11, 2026
I extracted out notepad.exe, calc.exe and mspaint.exe from Windows 7. I use them on Windows 11. They work perfectly.
dgxyz•Feb 11, 2026
Might as well just use Windows 7 if the security surface is this bad on later windows.
omoikane•Feb 11, 2026
Windows 7 market share was actually growing for a while according to:
Not sure what caused the inflection point in December 2025.
dgxyz•Feb 11, 2026
wonder if it was dumping off windows 10 machines or lay offs that did it.
voidUpdate•Feb 11, 2026
I have the mspaint.exe from the same version too :P. It complains about registry stuff on launch but other than that it works fine. There's no spray can in the modern paint!
tomNth•Feb 11, 2026
I like paint shop pro, I use 4.12.
tracker1•Feb 11, 2026
I need to just break down and find an old version of that... from before the Jasc sellout. IIRC, it ran via Wine without issue too.
I try to use Pinta/Paint.Net, but it's not quite as good as I remember psp being. I don't even hate the newer MS Paint... thought I'm only on windows for my work environment and even then.
Aside: I've been using my personal computer more, so I can work on a limited surface with docker and ai agent, then just bring in the components I'm working on when ready. My work environment is really locked down, no wsl, no docker... and it's like working in 2002 to some extent... It's literally easier for me to create stand-alone projects, work on a given feature in complete isolation... AI agent mostly to boilerplate the environment and most of the automated sanity tests, then I can focus on just what I'm working on.
They also added strange hacked on half-support for alpha-transparency in modern MS Paint. Meaning there is an alpha layer, and imported staff may utilize it, but if you need to do anything with that layer, you're basically SOL.
Better to have no alpha-transparency than whatever this is. At least old Paint just turned it white, and you could manipulate the white layer, with this working with the alpha layer is a nightmare.
mdavid626•Feb 11, 2026
Why does it show registry error?
I copied out mspaint.exe and some resource files as well were needed.
It runs for me without error.
jakub_g•Feb 11, 2026
For those of you on macOS who still want to benefit from arguably the best drawing application ever conceived, https://jspaint.app/ is THE way. Use it all the time when editing screenshots.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
Lex-2008•Feb 11, 2026
my favorite "easter egg" hidden behind File -> Exit menu item of jspaint.app... I still remember how it blew my mind the first time I saw it!
sheiyei•Feb 11, 2026
This wet my eyes. The times...
b3lvedere•Feb 11, 2026
Kind of a weird feeling that in order to get the better Windows 11 experience one requires programs from four operating system versions earlier.
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
mdavid626•Feb 11, 2026
I’d wish to use Linux.
But some things just don’t run there (properly).
Like Assetto Corsa EVO or SimHub.
d3Xt3r•Feb 11, 2026
When was the last time you tried it? Assetto Corsa EVO has a Gold rating on ProtonDB[1] and apparently SimHub also works fine, according to the SimHub forums[2].
Probably the only good thing about Google Docs becoming so popular in school/education use... All you need is a current Chromium based browser mostly.
The Web versions of Office, err MS 365, err CoPilot App.. (OMG!>!!>) ... aren't so bad to use in a Linux browser either.
d3Xt3r•Feb 11, 2026
> Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
You won't know until you try. My mum used all versions of Windows from 3.1 till Windows 7. She hated Windows 8, and that's when I decided to switch her to Linux (with XFCE) - and she felt the UI was a lot more familiar to her than Windows 8. I recently showed her a few screenshots of Windows 11, and she finds her current desktop (now on KDE) a lot more familiar than Windows 11. Same with Office, she prefers the older style toolbar of LibreOffice than the ribbon UI of modern versions Office.
So maybe install it on a spare device as a trial and see how they like it?
titzer•Feb 11, 2026
I feel bad for anyone at MS who thought these applications needed anything more than bugfixes. Welcome to the Notepad team, the entire world would be better off it you did nothing at all!
tracker1•Feb 11, 2026
I just don't get why they didn't just add these features to WordPad, where it would at least make more sense.
hypercube33•Feb 11, 2026
There used to be a website that has these installable.
Update - it's just the games; I thought it had notepad and calc as well
leduyquang753•Feb 11, 2026
> (though the "about notepad" dialog shows the windows 11 version for some reason??)
It's because the program just calls a Windows API to display the version dialog of Windows itself.
you can also just uninstall the "new" notepad, at which point Windows will let you run the old one again (which is still shipped!).
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
ptx•Feb 11, 2026
What? Did they accidentally revert the improvements they already made to previously shipped versions of the old notepad program?
tracker1•Feb 11, 2026
I think it's in reference to using Win9x notepad.exe as opposed to somewhere in the Win7-10 timeframe before they went over the top in Win11.
ptx•Feb 11, 2026
Ah, yes, I misread it as the newer versions shipping an older notepad.
TonyTrapp•Feb 11, 2026
Win9x Notepad in particular can only load files up to 64KB in size (edit: and supports only ANSI encoding, no Unicode). There were some actually useful additions to it up until Windows 10 or so - for example being able to handle LF (in addition to CRLF) line endings. But yeah, everything added in Windows 11 is just pure bloat.
pjmlp•Feb 11, 2026
The reason being it is a plain text edit component, with a window around it, hence the limitation.
zabzonk•Feb 11, 2026
Yep. Back when I used to teach Windows programming in C commercially, the course exercise was to replicate notepad. It was surprising how many of its features you could implement in a week-long course, especially as many of our clients were no great shakes at C.
SomeUserName432•Feb 11, 2026
I find notepad useful for sanitising clipboard content.
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
xnorswap•Feb 11, 2026
You can Ctrl+shift+v to paste plain text in windows.
sheiyei•Feb 11, 2026
In some cases. In others, the application does whatever it wants.
UqWBcuFx6NV4r•Feb 11, 2026
And funnily enough, Office for Mac doesn’t allow you to do this, or at least it didn’t used to. I think I may’ve just noticed that it’s started working.
mfro•Feb 11, 2026
Doesn’t work for me. The absolute most infuriating thing is that copying text out of OneNote pastes as AN IMAGE. The only way around this is sanitizing the text in a notepad on the host machine itself.
8cvor6j844qw_d6•Feb 11, 2026
> application does whatever it wants
Obsidian has a mildly infuriating default of opening previews with ctrl shift v keys instead of pasting with no formatting.
setopt•Feb 11, 2026
I somewhat regularly use the almost embarrassing key sequence Ctrl-C Ctrl-L Ctrl-V Ctrl-A Ctrl-X to sanitize text I’ve copied from a browser, using the address field to remove any formatting.
EE84M3i•Feb 11, 2026
I explicitly stopped this habit so that I don't accidentally do it with sensitive data I don't want to go to my search engine provider's auto complete API.
theandrewbailey•Feb 11, 2026
Disabling remote search autocomplete is one of the first things I do when I setup a new browser instance. It's a privacy and security nightmare I don't want.
masfuerte•Feb 11, 2026
Same here. And I just noticed yesterday that Firefox had added and enabled a "Suggestions from sponsors" feature. Which I've now disabled, but presumably it's been sending anything I type into the address bar to Mozilla since 2021. I am tired of Mozilla but Chrome is very much worse.
ETA: I only noticed yesterday because a "sponsored suggestion" popped up when I was typing, which I've not seen before. So either they actually enabled it recently, or advertisers don't bid on the kinds of things I usually type.
iso1631•Feb 11, 2026
ctrl-k is for the search box
ctrl-l is for the address box
At most I want the address box to do is look up a dns name. Which can still be a risk if I were to hit "enter" with sensitive information which could in some cases get pushed out to my DNS provider (which is me, but then it's possible the address would be pushed out to another resolver, and will also be logged in an unexpected place)
8cvor6j844qw_d6•Feb 11, 2026
> Disabling remote search autocomplete
I've always have a suspicion that even with auto complete off, some sort of telemetry or obscure feature is still leaking browser address bar text.
HugoTea•Feb 11, 2026
I do a similar thing but use the start menu search, Ctrl-C, WIN, Ctrl-V, Ctrl-A, Ctrl-X. You can do it all in one hand and can get really fast, assuming the start menu doesn't lag behind.
There's also the downside that it publishes all of your clipboard content to Bing search so maintain vigilance for confidential data...
andhuman•Feb 11, 2026
Have you tired using the run action instead to clean the data? Win+r
I've been using Win+R to paste it in the windows run box.
Amazingly still works on Win 11 and still seems to keep it local (bypassing the windows search), so I'm pleased to report consistent results for 30 ish years.
Of course, now I've mentioned it out loud, it'll be the next thing to go...
I don't know if it's just me being old and grumpy, but everything windows 8 and later (server 2003) seems like half-baked, unfinished enshittification. Trying to do something even vaguely "advanced" to a network adapter puts me back in windows 95 land along with the run box. The "manage" pane with device & disk manager and logs is from a totally bygone era yet it seems to still be the only way of getting that information. The worst bit is, I'm not complaining. All the bits that look and feel like they've been forgotten since Windows 2000 are the easiest, least infuriating bits of the system I interact with.
SoKamil•Feb 11, 2026
I always used browser address bar for that. But giving it a second thought, I uploaded the data to Google servers.
prmoustache•Feb 11, 2026
I have my firefox browser configured to keep using a separate search field and not make search queries in the url bar. It annoys a lot my partner if I let her use my computer to check something but it is frictionless once you unlearn bad habits.
d3Xt3r•Feb 11, 2026
I use the Run dialog (Win+R) for this.
hsbauauvhabzb•Feb 11, 2026
Win+r, ctrl+v, ctrl+a, ctrl+x, esc does this without spawning a non ephemeral window
d3Xt3r•Feb 11, 2026
Unfortunately this has a 260 character limit.
literalAardvark•Feb 11, 2026
Notepad is so slow at loading large files that it crashing quickly is a feature.
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
duskdozer•Feb 11, 2026
How do you edit notes using Microsoft Copilot 365 for Notepad Copilot using that version?
sheiyei•Feb 11, 2026
How do you write without being able to read with that version?
IshKebab•Feb 11, 2026
Support for Unix line endings at the very least.
throwaway198846•Feb 11, 2026
I feel vindicated by reverting to the old windows 10 notepad.exe
szatkus•Feb 11, 2026
> What more does notepad need?
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
gchamonlive•Feb 11, 2026
> What more does notepad need?
AI! It needs AI. Did I guess it right?
b3lvedere•Feb 11, 2026
Affermative. You have unlocked the following achievement: "Get a head start of 45 minutes when we start destroying humanity".
gchamonlive•Feb 11, 2026
Since there'll be nowhere to run, could I be one the first? Don't wanna have to deal with the hassle of having to watch my loved ones being chased down.
b3lvedere•Feb 11, 2026
Agreed. Your achievement has been revoked effective immediately.
e12e•Feb 11, 2026
Apparently windows 11 still ships with classic notepad?
If you go that far, metapad (from 98) is still better than notepad ever was. Also loads 100k lines files quickly.
anthk•Feb 11, 2026
Get notepad.exe from reactos' nightly ISO, it's in reactos.cab
Extract both the ISO and reactos.cab wth 7zip.
layer8•Feb 11, 2026
Windows 11 still includes the old notepad.exe in its Windows directory [0]. Windows just “helpfully” redirects it to the new app if you try to run it. You have to turn that off in Settings under “App execution aliases”. Then you get the old Notepad.
[0] In the unlikely case that it isn’t there, you can add it through System > Optional Features > Add an optional feature.
layer8•Feb 11, 2026
Also, delete the key NoOpenWith under HKEY_LOCAL_MACHINE\Software\Classes\Applications\notepad.exe to enable file associations.
jameshart•Feb 11, 2026
Notepad always used to be essentially the standard MFC multiline text editor control in a window.
Wordpad was the same but a rich text editor control.
There’s very little need for it to have ever become more.
kuboble•Feb 11, 2026
I used notepad as my default, simple text editor for ages.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
r2vcap•Feb 11, 2026
A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
dgxyz•Feb 11, 2026
Well technically Unixes like Linux are a mountain of legacy and they are fine.
Windows is just a mountain of shit.
direwolf20•Feb 11, 2026
Unixes like Linux are not immune.
dgxyz•Feb 11, 2026
True, as systemd and wayland point out elegantly. But at least there is a modicum of choice there.
jamespo•Feb 11, 2026
Ironic in a post about a CVE, as systemd offers more security options for starting services than anything else.
nananana9•Feb 11, 2026
"Fine"
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
dgxyz•Feb 11, 2026
The first point is fairly obvious and the latter point is not true (AppArmor etc)
oblio•Feb 11, 2026
Phew, I'm so relieved that now we have the One True Security Solution To Rule Them All, AppArmor.
Oh, what do you mean there's also SELinux, Snap, Flatpack, Docker, Podman, ...?
StilesCrisis•Feb 11, 2026
He did say "etc"...
oblio•Feb 11, 2026
Fairly sure the "etc" came after my comment, in an edit.
dgxyz•Feb 11, 2026
No, it didn't. I've only just come back to review it after I posted it and there wasn't a reply.
TZubiri•Feb 11, 2026
>Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc
Because a compromised user could infect shared executables and spread the infection. A bit harder to do with etc but for sure possible. The main target would be infecting bash and you are done from the get go.
>when literally the only files that matter to me are in /home, which is a free-for-all?
The home folder's read write is usually restricted to the user. The only scenario where this isn't the case to my knowledge is Ubuntu where others can read it, but this is just a huge flaw in Ubuntu that almost no other distro has.
oblio•Feb 11, 2026
> when literally the only files that matter to me are in /home, which is a free-for-all?
> The home folder's read write is usually restricted to the user.
Yeah, and that is the point. All user's programs including curl, wget, the web browser, anything else that connects to the network run as the user, and all the user's programs, by default, have access to everything inside ${HOME}.
Most people don't really care if /bin gets obliterated, but they do care dearly when /home/joe/photos/annies-2nd-birthday gets wiped.
skydhash•Feb 11, 2026
Protecting a user from himself is hard. Protecting user from others is easy. Linux is influenced by unix and a lot of installations are servers. Where most programs run under their own accounts.
You can always have two user accounts: oblio and unsafe-oblio anf have a shared folder between the two for transferring files. Or invest into some backup software.
dgxyz•Feb 11, 2026
Backups FTW.
TZubiri•Feb 11, 2026
Just make another user bro. If you can't even create a user to run a program you distrust, the issue is not that windows doesn't provide sandboxes, it's that you don't use them
And no, it's not "a lot of work" it's the bare minimum
oblio•Feb 11, 2026
Yet 99% of the planet doesn't do "the bare minimum", bro.
We have supposedly all the smartest minds in the world working in tech and they haven't been able to create a simple, cheap, reliable cross platform solution for user data protection, backup and restore.
It's easier to blame users instead.
Zenul_Abidin•Feb 11, 2026
I rolled out a home-made backup script in Powershell - just a wrapper around wbadmin that backs up an entire system image and the a standard "Backup and Restore" backup on an external disk once I plugged it in.
I even signed it and everything.
razighter777•Feb 11, 2026
Linux /home is far from a free for all. flatpak, landlock, selinux, podman, firejail, apparmor, and systemd sandboxing all exist and can and do apply additional restrictions under /home
thewebguyd•Feb 11, 2026
Because Linux (and other nixes) have their root in multiuser/time-share systems/servers. Protecting the system* from the users was important, and protecting users from other users equally as important. Protecting the user's $HOME from themselves/user-level programs wasn't as much of a concern, the user was assumed to be responsible enough to manage it themselves.
lunar_rover•Feb 11, 2026
Canonical and Red Hat have been modernising things for a long time, albeit slowly. Most funds went into server components.
As for the desktop community… Well, it has a severe lack of professionals.
est•Feb 11, 2026
> a mountain of legacy and they are fine.
telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.
> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.
Sohcahtoa82•Feb 11, 2026
Well yeah, but nobody sane still uses telnetd.
agumonkey•Feb 11, 2026
we still need a mouse icon rce until we reach peak
TZubiri•Feb 11, 2026
>No real sandboxing, a mountain of legacy…
You have:
- Windows Sandbox (consumer-level sandbox)
- Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
- HyperV (VM hypervisor)
- Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
michaelsshaw•Feb 11, 2026
>Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)
Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.
thewebguyd•Feb 11, 2026
Windows has garbage defaults, but if you read through their documentation on enterprise architecture they definitely do not recommend having admin be the only account. They do in fact encourage separate accounts, multiple level of privileges with login restrictions across different types of machines, etc.
Many Linux distros are also guilty of this, disabling the root account by default and having the only user have sudo privileges, just like Windows.
michaelsshaw•Feb 11, 2026
Yes, however much more can be done in the user's own directory on Unix systems. Needing sudo raises some eyebrows, whereas most Windows users don't necessarily understand UAC, and almost never think twice about pressing "Yes" on the popups, which are seen more as an annoyance than something critical for safety. Some even completely disable UAC.
vel0city•Feb 11, 2026
> Common practice, and even encouraged by Windows itself, is having the administrator account be the only account.
This hasn't been true since Vista. Kind of even before that with XP, it really showcased using multiple accounts to home users with a much more stylized user selection screen.
cookiengineer•Feb 11, 2026
I still use VIM in the terminal. So far, I'm fine, but I assume there's gonna be some inevitable CI/CD compromises sooner or later.
karel-3d•Feb 11, 2026
Visual Studio Code was not compromised.
guidopallemans•Feb 11, 2026
Visual Studio Code is the compromise
michaelsshaw•Feb 11, 2026
Neither is Neovim, Sublime Text, Visual Studio, ed, etc... So what? This is still unacceptable
tristor•Feb 11, 2026
> At this point, what am I supposed to do other than uninstall Windows completely?
Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?
There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.
yoyohello13•Feb 11, 2026
Install vim for Windows. I just use gvim as a notepad replacement. No plugins or anything required.
Yeah, it's a re-creation of edit, but it's pretty great... also runs outside windows.
Zenul_Abidin•Feb 11, 2026
It was not compromised a few days ago, that's just when the attack was disclosed. The actual compromise and exploitation happened months ago for several weeks.
gradientsrneat•Feb 11, 2026
That was a CCP group compromising the Notepad++'s underlying hosting provider; not really much to be done there aside from switching hosting providers. The update validation was also improved, and there's also scoop if you don't trust the built-in updater. Fortunately the attack was narrowly targeted and the IOCs are known.
idoxer•Feb 11, 2026
We got notepad.exe RCE before GTA 6
hdgvhicv•Feb 11, 2026
So notepad now renders links, then when clicks execute the code on those links (not just loading a website in a browser for example)?
ankurdhama•Feb 11, 2026
My assumption here is that if the link is web link it will open that link in web browser but Windows (and other OSes) have custom URL handlers that open whatever app is registered for that URL and that app may have issues that causes it to download and run arbitrary code.
colinsane•Feb 11, 2026
Windows and other OSes have application launchers that open whatever app you want, and those apps may have issues that cause it to download and run arbitrary code. if that's the logic here, then every application launcher is vulnerable to similar RCE.
if there's really nothing more to this 8.8 RCE CVE than that, this will finally be the thing that's makes me blackhole cve.org.
0xmattf•Feb 11, 2026
I'm at work, on a work computer, so can't fully test, but yes.
I saved this as test.md, opened it in notepad, clicked the link, and it popped open a command line:
[Click me](C:/Windows/System32/cmd.exe)
Can definitely go further than this; just a quick test.
To be fair, though, it's not just a click -> open/run. The user has to `ctrl+click` and will see the source of the link (at least I do).
eur0pa•Feb 11, 2026
Good job!
avaer•Feb 11, 2026
You can literally one-shot Opus 4.6 to make a better, faster, safer, more secure notepad.exe than the one that comes with Windows.
This isn't an AI slop problem.
egorfine•Feb 11, 2026
Tools are almost never the problem.
The application of tools is.
avaer•Feb 11, 2026
I 100% agree. I'm just trying to point out the problem isn't Microsoft AI slopping their software. Even if you slopped it, the software could turn out better than what they're putting out.
There must be something much worse than slop going on to get to this point.
szszrk•Feb 11, 2026
Notepad and mspaint have now copilot integration. With full authentication integration that will likely fail for people in corporate environment.
That's a slop if you ask me. Even if it wasn't vibe coded, it now want's me to vibe use it. Who the hell wanted that.
deaux•Feb 11, 2026
It's good ole enshittification, which became common at least a decade before the term vibe coding was coined.
g947o•Feb 11, 2026
Well, it might be "more secure" in the sense of "no hacker will use it as an attack vector", not necessarily "it is free of security of security bugs".
yellow_lead•Feb 11, 2026
I'd now like to see a RCE in MS Paint or Calculator, if the exploit finder is reading this.
st_goliath•Feb 11, 2026
Up next: forgotten Piet[1] autorun feature discovered in MS Paint. Customers complain after removal, insist they have existing legacy applications depending on it.
use SublimeText, it is perhaps faster now than the stock Notepad
outime•Feb 11, 2026
I can definitely vouch for this! I've been using it for many years and it's been essentially the same the whole time: fast, lean and working on all operating systems.
Krssst•Feb 11, 2026
Combined with LSP I find it to be quite a good IDE too. Handles extremely large source trees quite well.
xnorswap•Feb 11, 2026
As much as I used to love Sublime, the version switching caught me out which burned me a bit, even if admittedly my v2 key lasted an unreasonable time through the version 3 beta, but I don't want to risk buying a v4 key without a clear roadmap of when they might switch to version 5.
skydhash•Feb 11, 2026
It’s $99 for something that is almost 5 years old at that point.
bigstrat2003•Feb 11, 2026
They changed how that works. Licenses are no longer tied to version, you get 3 years of updates no matter what the version is.
lpcvoid•Feb 11, 2026
8.8 RCE CVE in notepad.exe. Well done microslop
j1000•Feb 11, 2026
use linux
repelsteeltje•Feb 11, 2026
I'm frankly amazed that the majority of new laptops still come with Microsoft Windows.
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
core1024•Feb 11, 2026
It looks like, after Microsoft discontinued WordPad, they want to implement more features into Notepad. If you want simple plain text editor you have to use msedit[1].
You can still open the real notepad, you just have to turn off a "feature" that makes running notepad.exe open the new notepad. Its called "execution alias" or something like that.
tomNth•Feb 11, 2026
I just use the winxp wordpad.exe. (and calc paint notepad, and I use paint shop pro 4.12)
chrisjj•Feb 11, 2026
> Product
> Windows Notepad
Disambiguation urgently needed.
feverzsj•Feb 11, 2026
They could've just implemented it in webview2 with all the AI features they want.
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
BLKNSLVR•Feb 11, 2026
> It is to do with link handling:
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
Hackbraten•Feb 11, 2026
Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
nottorp•Feb 11, 2026
Except notepad was the safe option for editing files and making sure what you see is what gets saved. Not any more?
hulitu•Feb 11, 2026
Not. They want it to be Notepad + Wordpad and, in the future, Wordstar.
PlatoIsADisease•Feb 11, 2026
Maybe I don't understand what markdown support will imply, but doesn't this hide text?
Like, if I have a h2 or url, its going to show as special text rather than the h2 tag?
contextfree•Feb 11, 2026
There's a toggle in the status bar and the View menu that switches between displaying Markdown as formatted vs. plain text
PlatoIsADisease•Feb 11, 2026
Oh that's not so bad.
I mean... other than it creating vulnerability... and maybe is the beginning of the end of notepad as a plain text editor...
Someone1234•Feb 11, 2026
You cannot claim you're "against feature bloat" while then in the same breath say that it is acceptable that a basic text editor have an entire additional render pipeline.
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
titzer•Feb 11, 2026
As I posted in a sibling, I thought the whole point of markdown was that it was simplified to the point that rendering it was easy to do from scratch. But we fumbled that because we (collectively) have no idea what we are doing.
thwarted•Feb 11, 2026
The whole point of markdown is that it is easily readable and editable and the structure is evident without being rendered. That it doesn't strictly need to be rendered in all or any context is its utility.
wang_li•Feb 11, 2026
>But we fumbled that because we (collectively) have no idea what we are doing.
Because, almost entirely, the software development industry has disclaimed all responsibility. It's super common for people to try to do shit they have no experience or skill at, push their effort to be adopted by others, then when it crashes and burns they have no accountability. If software "engineers" adopted the rigors and accountability and dignity of traditional engineering, the industry would be very different.
joquarky•Feb 11, 2026
Even traditional engineering is now being coerced by "move fast and break things" management.
It feels like a plague of ignorance and enshittification has silently taken over everything.
jerf•Feb 11, 2026
The main problem with "Markdown support" in Notepad is that "Markdown support" is an ill-defined phrase. The closest thing to a well-defined definition is to support CommonMark but that is far, far from universal. Microsoft being Microsoft they'd probably still half-ass the job then just declare their new half-ass support a newly embraced-and-extended standard and leave it that way for the next 20 years, so asking Notepad to support Markdown is in practice asking for yet another effing Markdown dialect to come into existence and join the shambling hoard of other dialects.
Markdown is more properly understood as a family of related-but-mutually-incompatible standards, like CSV, and like "supporting CSV" is a lot more complicated than meets the eye. And supporting Markdown is already clearly non-trivial compared to the baseline of Notepad we've come to expect over the past few decades.
titzer•Feb 11, 2026
I might be dumb, but I thought the whole point of markdown was to get rid of all the bells and whistles of styling, having a really simplified and dumb format that only outlines structure. The follow-on being that many tools could parse, transform and render said markdown files in a way that makes sense for them. That way there's lots of tools that don't share code, but a shared definition of the format. I.e. markdown is a format (!?).
The problem is that overall we seem to have fumbled both the concept and the implementation. There a bunch of vaguely similar but incompatible markdowns and apparently rendering them is too hard and people immediately reach for an enormous pile of software (usually a web stack) to render it for them.
It should have been entirely possible for a person to write a markdown parser in a couple hours and e.g. render paragraphs, bulleted lists and tables into a terminal.
jerf•Feb 11, 2026
Goals aren't results. It was a goal for Markdown to be simple and universal. It is not a result.
You may be struggling a bit because you are reading some sort of moralization into the statement, some sort of emotional judgment, but there isn't any. It is clear that there does not exist a function that takes a span of "Markdown text" in and emits an abstract syntax tree that everyone agrees upon [1]. That's a fairly mathematical way of putting it, but even from an engineering point of view, the differences matter. Very quickly. It's not like you need to reach deep into crazy syntax to get to real, concrete disagreements between systems, you can hit problems with something as simple as
"_hello world _"
between the systems where they will do substantially different things.
There are literally dozens of markdown formats now.
How we got there, why such a thing exists, as interesting as those questions may be none of them change the reality on the ground. There is no universal markdown to be appealed to. The closest is CommonMark, and that explicitly exists precisely because there was no consensus in the first place. If markdown was a format, CommonMark would never have been created.
[1]: Nor does its inverse, which at times is more frustrating to me than this. I have in mind what I want to do and either can't figure out how to do it or it simply can't be done.
titzer•Feb 11, 2026
The answer, of course, is to design a new, universal markdown format :)
But seriously though, all those weird markdown formats could easily just have their own custom parsers than then translate into the common format--supposing the common format is the union of all their features.
tracker1•Feb 11, 2026
Just... no... not notepad.. Notepad should be the single-simplest of text editors, always has been, always should be... it should be "safe" much like "task manager" it should be as simple and bulletproof as any application in Windows are... these are essential tools that should never, ever, ever break.
MS has WordPad... fck around with that to make it support markdown or whatever else beyond rtf you want it to support. For that matter, it's probably that much more appropriate to do so.
Do I typically use Notepad, no.. not really... I actually use the new rust based edit terminal app more than Notepad. That said, I expect notepad to do one thing... edit text files, and to not break doing so. The ONLY* addition that might be acceptable would be a HEX Editor mode, so you can edit any file.
There are maybe 5-7 applications in Windows I expect to never break... task manager, notepad, registry editor, file explorer, command prompt are at the top of that list... these are the golden tools that should never fail, even if everything else does.
Zenul_Abidin•Feb 11, 2026
Old notepad is still there, it's just in System32 and you have to disable app execution alias for notepad.exe (apps > advanced app settings > app execution aliases)
alternatex•Feb 11, 2026
WordPad was discontinued.
procaryote•Feb 11, 2026
Markdown is readable as plain text, that's kind of the point of it
There's also a pretty large jump between "I can ask the system to open this link in the default browser" and "I have built my own link handling in a memory-unsafe language to support some really fringe features, and oops it's exploitable"
iso1631•Feb 11, 2026
> Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light.
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
DavidPeiffer•Feb 11, 2026
I was really hoping this CVE would have been caused by the Copilot integration into Notepad.
Calculator hasn't been infiltrated by Copilot yet, but I'm sure the day is coming.
danudey•Feb 11, 2026
Hey Calculator, how many R's are there in strawberry?
hbn•Feb 11, 2026
Calculator asks you to rate it in the app store...
You're the preinstalled calculator!! You don't have to compete with other apps!!
0cf8612b2e1e•Feb 11, 2026
The desperation for feedback is grating. You have a monopoly position, you know I cannot switch from this, why waste my time with this dialogue? Not like you take user opinions seriously anyway.
samspot•Feb 11, 2026
It's hard for me to imagine anyone balking at this feature. My core note taking workflow frequently involves:
1. Note about blah
2. Paste link to blah
3. Open that link later when reviewing my notes.
Blah is sometimes a web link, sometimes a link to a doc on my system, and sometimes a link to an item in my todo tracker. The better analogy is this is like a pencil having an eraser built in.
I use Drafts instead of Notepad, but if I used Notepad I would want to be able to easily open links in my notes. When I do find myself in Notepad, it's because I double clicked on a readme file that often contains links to resources I need.
delusional•Feb 11, 2026
But then notepad wouldn't be fetching the content. While I would still prefer notepad to be simple, and just making you copy paste the link, I would expect it to forward a link a browser, or something. I would not expect notepad to go out and fetch random content from the internet.
derefr•Feb 11, 2026
Notepad stuck around in Windows for so long, despite Wordpad also being built-in, because Notepad was supposed to be for e.g. editing C:\AUTOEXEC.BAT or C:\Windows\System32\hosts.txt in Safe Mode. It was basically supposed to be the /bin/sh to Wordpad's /bin/bash — the thing that'll save you in maintenance mode when the system is so hosed that nothing more complex will launch.
If your computer was working, there was never really supposed to be a reason to invoke Notepad. Programmers were expected to install IDEs or third-party text-editor software. Microsoft's own READMEs have always been .rtfs ever since Windows 95. And so on. For a little while, you might use it to view system log files? But the Windows NT lineage gave Windows an Event subsystem with its own MMC-based console, so even that didn't require Notepad any more.
It's therefore bizarre that Microsoft have decided to "enhance" Notepad into this pseudo-rich-text thing, while also sunsetting Wordpad; when it seems like what they really wanted was to "enhance" Wordpad to also do what Notepad does, while sunsetting Notepad. (Even with full back-compat, they could have done this by making Notepad.exe a stub that launched Wordpad.exe with flags.)
gcr•Feb 11, 2026
What does “unverified protocols” mean? Does Windows have an exe:// url scheme that fetches and runs executable binaries or something?
gruez•Feb 11, 2026
Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE
eugenekolo•Feb 11, 2026
But is it running ShellExecute on URIs?
electroly•Feb 11, 2026
I believe it is. Just tested it. You can make the link "C:\windows\system32\cmd.exe" and clicking it will launch the Command Prompt. I noticed you can't make it "C:\windows\system32\cmd.exe /c some-nefarious-thing"; it doesn't like the space. Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.
gruez•Feb 11, 2026
>Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.
1. You can use UNC paths to access remote servers via SMB
2. Even if it's local, it's still more useful than you make it out to be. For instance, suppose you downloaded a .zip file of some github project. The .zip file contains virus.exe buried in some subfolder, and there's a README.md at the root. You open the README.md and see a link (eg. "this project requires [some-other-project](subfolder\virus.exe)". You click on that and virus.exe gets executed.
jkrejcha•Feb 11, 2026
> 1. You can use UNC paths to access remote servers via SMB
Programs (this is true for most mainstream operating systems) can become network facing without realizing it. I've sometimes found a bunch of Windows programs sometimes tends to assume that I/O completes "instantly" (even if async I/O has been common on Windows for a very long time) and don't have a good UX for cancelling long running I/O operations
electroly•Feb 11, 2026
Definitely; I didn't mean to underplay it. Here's a fun one:
[Free AI credits](C:\windows\system32\logoff.exe)
It works. This is a real exploit that you could do things with.
thwarted•Feb 11, 2026
What if the space is url encoded %20 ?
Zenul_Abidin•Feb 11, 2026
That wouldn't work because Windows doesn't understand url-encoded sequences.
graemep•Feb 11, 2026
Is this a big deal? is it also not a problem with anything that renders clickable links? Browsers, email clients, whatever.
Is this not a problem with anything that offers a preview of markdown (or HTML, or anything with embedded links)?
laserbeam•Feb 11, 2026
The problem is notepad itself would download and execute bad stuff if you click the evil link. If you would paste that same link in a browser you'd be ok.
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
graemep•Feb 11, 2026
So Notepad will download and execute itself rather than launch an appropriate application to handle the URL? That was not clear to me.
BLKNSLVR•Feb 11, 2026
Just imagine all the problems that wouldn't have occurred of email remained text only!
abustamam•Feb 11, 2026
It could be. But why is notepad doing anything other than rendering text? I don't expect it to make links clickable, or render markdown.
richardfey•Feb 11, 2026
I feel like the process of carving out any meaning out of "QA" is complete.
It's cathartic, in its twisted way...
jmyeet•Feb 11, 2026
I found a simpler explanation for what's going on [1].
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
The funny thing is browsers figured out years ago you need to warn users before launching random protocol handlers. Microsoft added clickable links to Notepad and just skipped that part entirely. It's not even about the feature creep, it's that they reinvented something browsers solved ages ago and somehow forgot why those safeguards existed in the first place.
naikrovek•Feb 11, 2026
In the past I would have defended Microsoft for this, somehow.
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
Stevvo•Feb 11, 2026
Old notepad is still in Windows 11 at C:\Windows\notepad.exe
petee•Feb 11, 2026
Works great still, but now windows won't let me associate .txt files with it. God damn I hate the future
1970-01-01•Feb 11, 2026
ftype txtfile=c:\windows\NOTEPAD.EXE %1
petee•Feb 11, 2026
I can successfully set that as admin, but it doesn't change anything - file won't open and "open with" pops up an error still that notepad can't be used.
Edit: going with EmEditor; forgot that existed
xaldir•Feb 11, 2026
And they even put a nagware in it to point you to the new notepad. Oh MSFT.
31337Logic•Feb 11, 2026
Actually, the big red flag for me was the removal of "My Computer".
Folks, you might still think it's "your computer" but Microsoft clearly doesn't.
You've got something they want and they will stop at nothing to take it from you.
This should be treated as an all-out war.
ubixar•Feb 11, 2026
Notepad had one job, display text. Microsoft decided it needed an attack surface instead.
The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.
vachina•Feb 11, 2026
More like the year of the Mac OS (or MacBook). Once market saturates with cheap M series you will see everyone switching.
dkga•Feb 11, 2026
One of the (not so many) things about Windows that I loved was the zen simplicity of the Notepad. I saw it through Windows 3.1 all the way to the bloated oblivion it was driven to, and I did not like to see that sad, final chapter. (Broader theme, do I miss the simpler computer times!)
reactordev•Feb 11, 2026
As if you needed another reason to switch to Linux
phendrenad2•Feb 11, 2026
Microsoft is stuck in exactly the same situation Linux is: It has to be all things to all people. It has to be simple enough that grandma can use it, but powerful enough to not alienate their business customers. Putting link-handling (rich text) in Notepad (the plain-text editor) was idiotic, however.
anthk•Feb 11, 2026
If you can use Reactos' Notepad.exe from the daily ISO build (extract reactos.cab with 7zip) the better.
VagabundoP•Feb 11, 2026
Bare with me, but im not again' the new Notepad. Its fairly well done - the markdown - and even the AI dropdown presets seem useful.
but I do wish they had called it something else and kept notepad as txt only.
self_awareness•Feb 11, 2026
This wouldn't happen if they'd use more LLM models to triple-check what previous models did during development!
delduca•Feb 11, 2026
Conglatulations Microslop.
1970-01-01•Feb 11, 2026
Let's ask the obvious. There should be zero vulns in notepad. It should be feature complete since XP. Who approved this vulnerability, and how quickly can they be fired? The App store is a joke. At least call it Notepad 2.0 or some other flashy garbage so we can proactively label the bullshit as such.
ufos1111•Feb 11, 2026
Notepad completely froze up on me the other day, from just closing tabs of text files. It's so bloated its a complete joke, it should be nothing more than text editing, get rid of all the nonsense added to it since win11
gkcnlr•Feb 11, 2026
By looking at their 2025 shareholder report (Look for the part below "NOTE 18"), Windows is only at the 5th place in terms of revenue source, even below the LinkedIn:
I can only think that they do not even care about Windows anymore, let alone Notepad...
Culonavirus•Feb 11, 2026
Microsoft is Windows. Anyone saying otherwise is completely delusional.
Most of M$ office software has alternatives (Google Docs, OpenOffice...), M$ has no AI model and no AI labs to speak of, Github is constantly crashing and burning, Azure is garbage, and they uttery killed Xbox.
Oh and Linkedin is for actual psychopaths.
If Windows dies, all of their other junk that is attached to the platform will die as well.
bigbuppo•Feb 11, 2026
This is why I have been saying that Microsoft is about to go the way of Sears when the AI bubble pops.
smegger001•Feb 11, 2026
I don't know about that they have multiple successful businesses with or without AI and they stand to have all of OpenAI's IP when they implode (their license gives them free access to fork all of OpenAI's AI models with the sole exception of some hypothetical future artificial general intelligence) my guess is they take a hit to the stock price but so will everyone else and they will go on a shopping spree of buying up any IP or infrastructure left after the bubble pops.
hnlmorg•Feb 11, 2026
> Microsoft is Windows. Anyone saying otherwise is completely delusional.
What's delusional is making an unsubstantiated claims and then dismissing any counterarguments before they're made.
> Most of M$ office software has alternatives (Google Docs, OpenOffice...)
True. Yet MS Office is still the de facto standard.
> Github is constantly crashing and burning
True. But that doesn't mean it isn't still a business strategy for MS.
> Azure is garbage
Also true. But that doesn't mean it isn't profitable: "Microsoft Cloud revenue increased 23% to $168.9 billion."
> and they uttery killed Xbox
Quite the opposite. Xbox is thriving: "Xbox content and services revenue increased 16%."
> Oh and Linkedin is for actual psychopaths.
That's subjective. And even if it were true, that's got nothing to do with profitability (eg look at Facebook).
> If Windows dies, all of their other junk that is attached to the platform will die as well.
First off, literally no-one is claiming Windows is going to "die".
Secondly, even if it were to "die", you've provided no evidence why their other revenue streams wouldn't succeed when it's already been demonstrated that those revenue streams are growing, and in some cases, have already overtaken Windows.
seabrookmx•Feb 11, 2026
I know devs are a different market, but how many folks do we know daily drive Mac/Linux and use MS dev tools? VS Code, Typescript, .NET?
I think they'll do just fine if Windows dies on the vine. They'll keep selling all the same software; even for PC gaming they already have their titles on Steam.
Obscurity4340•Feb 11, 2026
> LinkedIn is for actual psychopaths
This is true. Peruse r/LinkedinLunatics to see them in action
estimator7292•Feb 11, 2026
Holding one's unsubstantiated personal beliefs above all evidence and rational argument is, in fact, delusion.
The evidence in TFA is that Microsoft is much more than Windows. So much more in fact that one can make a very reasonable argument that it's no longer a top priority for them.
The delusion is shutting your eyes, covering your ears, and screaming about how literally everyone except you is wrong.
derefr•Feb 11, 2026
But it doesn't matter that Azure is garbage, because the people they market it to are big enterprise CTOs, not the actual engineers who'll have to use it. Azure has quite a few of the S&P500 using it.
DuckConference•Feb 11, 2026
It splits revenue out to 3 categories, "Productivity and Business Processes", "Intelligent Cloud", and "More Personal Computing", with windows as one of several things in the 3rd group. How did you figure it out as a 5th place revenue source?
gkcnlr•Feb 11, 2026
Search for this: "Revenue, classified by significant product and service offerings"
gunalx•Feb 11, 2026
You can also kinda read the 3 categories as office, azure, windows. But that is a gross oversimplification.
asadm•Feb 11, 2026
Windows is their trojan-horse.
wisplike•Feb 11, 2026
How are these discovered?
Is it just a well informed guess or do people decompile these programs?
alihawili•Feb 11, 2026
During Windows millennium days, I accessed internet mainly from internet cafe's, most of them had windows restrictions enabled, with downloads disabled, my computer hidden and such.
Open notepad, and from notepad I access USB drive then run opera browser installed on it. mail, web, downloads..
docmars•Feb 11, 2026
How's that vibe-coding going, Microsoft? You replaced a perfectly good text editor with AI slop and this is the result — who could've predicted that?
deafpolygon•Feb 11, 2026
Guess vibe-coding the notepad with AI didn't really do them any favors.
jiggawatts•Feb 11, 2026
For Linux folks: Notepad is the Windows equivalent of a console editor such as Pico or Vi.
Its job is to be robust, simple, and always available.
It's supposed to show you the symbols in markdown, not render them.
It is useful for opening potentially dangerous content in a 100% safe way, because "txt" should always be safe to inspect!
It is regularly used to open gigabyte-sized log files and the like, which it has to handle on machines with less free memory than that! Markdown rendering and similar features are fundamentally incompatible with this requirement because they require serialised parsing of the entire file instead of opening just tens of kilobytes at a time using memory mapping or whatever.
Notepad is also used to open files without taking a lock, allowing users to read files that are actively being written to. Again, incompatible with practically all parsing strategies.
The "new Notepad" is some dumbass executives pet project that overlaps with Visual Studio Code and is a shitty alternative to WordPad, which another dumbass executive axed for no good reason.
grougnax•Feb 11, 2026
At this point Windows should just be thrown to the trash already
50 Comments
It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"
It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.
Clicking unknown links is always a bad idea, but a CVE for that? I dunno....
Rewriting it to integrate AI and some bells and whistles recklessly and having a CVE is tragicomic if you ask me.
So yes, MS will likely denounce this as not their problem and move on.
But yeah, pedantic terminology aside, what a stupid stupid error. In notepad, of all things, reading text files should be safe. It reminds me of the WMF failure. "No you can't get a virus from playing a video" is what I would tell people. And then microsoft in their infinite wisdom said "Herp Derp, why don't we package the executable video decoder right in the video file. It will make searching for a codec a thing of the past" Sigh, smooth move microsoft, thanks for making a liar out of me.
Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)
I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation
Although I approve of neither feature. notepad should stick with what it does well.
https://liquidninja.com/metapad/
And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.
I didn't even know Notepad would render Markdown.
Notepad handily strips away all the custom link namings and formats that totally fuck the expected output of a simple copy and paste. That's a big part of the its magic: it's immunity to the choices of marketing teams and dud management.
And decided to jump in on some threads just as well.
From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)
What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...
Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...
True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.
The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.
For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.
At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"
I read the cwe not cve, was wrong. It's still early in the morning...
> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.
In fact, if you enabled developer mode on your computer there's a registry key that gets set to run notepad as admin, it's: `runas /savecred /user:PC-NAME\Administrator “notepad %1”` in HKEY_CLASSES_ROOT-> * -> shell -> runas (new folder) -> (Default)
And, if I'm not totally mistaken, notepad also has the ability to reopen files as administrator, but I don't remember how to invoke it.
Regardless, notepad is a very trusted application and is often run as Administrator. Often it's more trusted than any other utility to modify system files.
I think that's a notepad plus plus feature. I had it offer to reopen itself as administrator when editing system files like HOSTS.
Sorry to say this, but Notepad was a very trusted application now. I cannot believe that such a core utility has a 8.8 CVE, it sounds like a joke tbh.
These are sad times.
I'd agree that recent features feel a bit unnecessary, but it does need to edit and write files - including system ones (going through however that is authorised). You could sandbox a lot of apps with limited impact, but it would make a text editor really useless. Least privilege principles work best when you don't need many privileges.
Well, except that this did not prevent it from having embarrassing bugs. Google "Bush hid the facts" for an example. I'm serious, you won't be disappointed.
I think complexity is relative. At the time of the "Bush hid the facts" bug, nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem and we have other battles we fight.
Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters
In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.
Oh, here is the file I just saved... I see that it now tells me to rob a bank and donate the money to some random cult I'm just learning about.
Let me make a web search to understand how to contact the cult leader and proceed with my plan!
(luckily LLMs were not a thing back then :) )
I wish…
Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.
Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.
Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…
Ah so that’s the trick! I’ve run into this problem a bunch of times in the wild, where some script emits csv which works on the developers machine but fails strangely with real world data.
Good to know there’s a simple solution. I hope I remember your comment next time I see this!
Due to (parts of?) the EU using then comma as the decimal separator, you have to use another symbol to separate your values.
It wouldn't normally necessitate not using comma as the field separator in CSV files though, wrapping those values is quotes is how that would usually be handled in my experience.
Though many people end up switching to “our way”, despite their normal locale preferences, because of compatibility issues they encounter otherwise with US/UK software written naively.
Unfortunately people like CSV to be at least part way human-readable, which means readable delimiters, end-or-record markers being EOLs that a text editor would understand, and the decimal/thousand/currency symbols & date formatting that they are used to.
In the text files we get from clients we sometimes see tab used instead of comma, or pipe. I don't think we've seen semicolon yet, though our standard file interpreter would quietly cope¹ as long as there is nothing really odd in the header row.
--------
[1] it uses the heuristic “the most common non-alpha-numeric non-space non-quote character found in the header row” to detect the separator used if it isn't explicitly told what to expect
It's maddening and it's frustrating. The US doesn't have any of these issues, but in Europe, that's a complete mess!
One particular English-speaking country… The UK has issues with ASCII too, as our currently symbol (£) is not included. Not nearly as much trouble as non-English languages due to the lack of accents & such that they need, but we are still affected.
I think you mean “the US chooses to completely ignore these issues and gets away with it because they defined the basic standard that is used, ASCII, way-back-when, and didn't foresee it becoming an international thing so didn't think about anyone else” :)
When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.
> and we have other battles we fight.
Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.
https://en.wikipedia.org/wiki/Windows_Notepad#Change_in_deve... https://en.wikipedia.org/wiki/WordPad#Discontinuation
They likely knew nobody would be drawn to WordPad by the additions, so they had to scavenge their rapidly diminishing list of actually useful software for sacrifices on the altar to their outrageous AI investments.
While 8.8 score is embarrassing, by no measure notepad was done software. It couldn't load a large text file for one, its search was barely functional, had funky issues with encoding, etc.
Notepad++ is closer to what should be expected from an OS basic text editor
Also, I hope the irony of you citing Notepad++ [1] as what Notepad should aim to be isn't lost on you. My point being, these kinds of vulnerabilities shouldn't exist in a fucking text editor.
[1] https://notepad-plus-plus.org/news/hijacked-incident-info-up...
Remote into a machine that you're not allowed to copy data out of. You only have the utilities baked into Windows and whatever the validated CI/CD process put there. You need to open a log file that has ballooned to at least several hundred megabytes, maybe more.
Moby Dick is about 1MB of text. That's really not much compared to a lot of log files on pretty hot servers.
I do agree though, if we're going to be complaining about how a text editor could have security issues and pointing to Notepad++ as an example otherwise, its had its own share of notable vulnerabilities even before this update hijacking. CVE-2017-8803 had a code execution vulnerability on just opening a malicious file, this at least requires you to click the rendered link in a markdown file.
Honestly I'm okay with having to resort to power tools for these edge cases. Notepad is more for the average user who is less likely to run into 100 MB text files and more likely to run into a 2 kB text file someone shared on Discord.
I get what you're saying. But if things were done right I probably wouldn't have to be remoting into this box to hunt for a log file that wasn't properly being shipped to some other centralized logging platform.
Regarding large, I am referring to log files for example. I think the issue was lack of use of memory mapped files, which meant the entire file was loaded to RAM always, often giving the frozen window experience
Notepad++ is a monster software.
Plus for many years Word was one of the main cash cows for MS, so they didn't want to make an editor that would take away from Word.
And you could see how adding new things adds vulnerabilities. In this case they added ability to see/render markdown and with markdown they render links, which in this case allowed executing remote code when user clicks on a link.
Wordpad was the bundled rich text editor and was also a mess
I don't think an improved notepad could have cannibalized Word
This definition in the first paragraph on Wikipedia matches my understanding of it as a security consultant:
> The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE or RCX). --https://en.wikipedia.org/wiki/Arbitrary_code_execution
Issues in handling local files, whether they require user interaction or not, are just that
Doesn't take away from the absurdity that notepad isn't a notepad but does extensive file contents parsing
I actually built a "dumb" alternative in Rust last week specifically to escape this. It’s a local-only binary—no network permissions, encrypted at rest, and uses FIPS-compliant bindings (OpenSSL) just to keep the crypto boring and standard.
It’s inspectable if you want to check the crate: https://github.com/BrowserBox/FIPSPad
Every text editor, if it survives long enough, will end up implementing a partial, bug-ridden version of Emacs.
Every text editor, including Emacs [...].
Altough now I'm using 9front, Sam and Acme. I feel myself weird not using the keyboard but at least I understood structural expressions for Sam/Acme really fast, first with 'Vis' and next under Acme. Oh, Acme can do mail and news and a bunch more... because it has I/O since the beginning, you can plug anything into it, from commands to the text buffer to sockets. Even a crude HN client if you dare.
To meet FIPS 140-3, I can't roll my own crypto; I have to use a validated module.
I actually only link OpenSSL on Linux, and then only if it's in FIPS-mode. On Windows (CNG) and macOS (CoreCrypto), I use the native OS primitives to avoid the dependency and keep the binary small.
The specific gap this fills is 'Defense in Depth' + compliance. OS-level encryption (like FDE) is transparent once you log in. If you walk away from an unlocked machine, FDE does nothing.
App-level encryption, however, ensures the specific sensitive notes remain encrypted on disk even while the OS is running and the user is authenticated.
It's also portable as it allows the encrypted blob to be moved across untrusted transports (email, USB, cloud) without needing to set up an encrypted container/volume on the destination.
For FIPS/NIST workflows, relying solely on the OS often isn't enough for the auditor; having the application control the keys explicitly satisfies the 'data protection' control regardless of the underlying storage medium.
...then I might as well ask what happens when I walk away from the encrypting edior while a file is still open. User Error can happen with any encryption or security schema. Pointing out a trueism is not an argument.
> It's also portable
So is encrypting files using a specialized tool. I don't need my editor to do this. The entire point of my criticism, and indeed the entire point of this thread, is that software that should focus on a narrow task, tries to do way too much, leading to problems.
Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.
The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.
There's no insecurity like compliant cybersecurity :)
Another in 2004: https://www.cve.org/CVERecord?id=CVE-2002-1377
Neither vim nor Notepad are purely for displaying text though.
notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".
Up until fairly recently, that's exactly all Notepad did.
Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.
https://learn.microsoft.com/en-us/answers/questions/3845356/...
You basically have to find the "execution alias" setting and disable notepad and you get the ole reliable :D
OLD POST:
This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.
Last couple of years notepad started getting more features, but I'm very practical so I just ignored them, logged out of my account when necessary, opted out of features in settings, whatever.
But now this moment feels like I must change something, we need a traditional notepad.exe or just copy it from a previous version, I'll try adding NOTEPAD.exe to a thumb drive and having that. But it's a shame that it breaks the purity of "working with what's installed".
https://learn.microsoft.com/en-us/windows/edit/
Edit: Fedora has it available as "msedit". What a time to be alive.
Oh, a kindred spirit!
I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.
(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)
Even with MSBuild 4. From the days when .NET Framework was an OS component and also the build tools (until Roslyn) were part of the Framework.
If you’re going to have a custom config, you might as well have a custom executable.
Not saying that spending the first days on a new project configuring your custom setup with the company's stack is bad, especially if you are categorizing as employee and are looking for a multi year long run. But I tend to do small contracts, 1 to 6 months, and starting right away is a nice boost.
Shh, please. If MS find out, they'll add a parrot to "improve" it.
now that llms exist I am learning with dotnet, that now comes with windows, (or at least it comes with winget, and you can install a lot of kosher software, which is almost as good as having it preinstalled.)
If I ever hop onto an older machine I'll use the gpt to see what I get, i recall there's vbscript, apparently a .net compiler+runtime, and I saw a js interpreter in very old OS too.
A big inspiration in this realm is FogBugz historical "Wasabi". Their idea of compiling to PHP and c# i think it was, because it's what most OS come with, and their corpo clients can use it as it. It's in a joel spolsky blog post somewhere.
I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.
What's your day job? Are you self employed?
I’ve been fighting this for the last couple of weeks but it just doesn’t stick
Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)
https://chadnauseam.com/coding/random/calculator-app
https://dl.acm.org/doi/10.1145/2911981
https://dl.acm.org/doi/pdf/10.1145/2911981
https://github.com/LineageOS/android_packages_apps_ExactCalc...
https://medium.com/@jnebos/the-humble-android-calculator-4f1...
They didn’t stop there. They also asked “does this need AI?” and came up with the wrong answer.
It's easy to say you will, and very hard to actually do it.
In life you have to choose your battles.
Because the society in US is arranged as a competition with no safety net and where your employer has a disproportionate amount of influence on your well being and the happiness of your kids.
I'm not going to give up $1M in total comp and excellent insurance for my family because you and I don't like where AI is going.
I'll have to explain it to the wife: "well, you see, we cant live in this house anymore because AI in Notepad was just too much".
I'll dial up my ethical and moral stance on software up to 11 when I see a proper social safety net in this country, with free healthcare and free education.
And if we cant all agree on having even those vital things for free, then relying on collective agreement on software issues will never work in practice so my sacrifice would be for nothing. I would just end up being the dumb idealist.
There is always someone who will take advantage of the prisoners dilemma.
Some of us were impressionable when Jurassic Park came out.
Gee thanks for helping me find the button I'll use literally once and making me hunt for the one I'll need the other 99999 times I use this service.
Existing users can go fuck themselves as long as new people are registering. Line go up!
- Successfully led key efforts to modernize aging platform technologies
- Directed integration of cutting-edge system-wide artificial intelligence functionality
> How do I add more features to get a promotion
But so far as I can tell the bug isn't related to "network-aware rendering stack" or AI (as other people are blindly speculating)?
From MSRC:
>How could an attacker exploit this vulnerability?
>An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Sounds like a bug where you could put an url like \\evil.example\virus.exe into a link, and if a user clicks it executes virus.exe
You were never able to "click a link" in Notepad in the past.
Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them.
Despite the scary words and score this wouldn't even be a vulnerability if people weren't so hard wired to click every link they see. It's not some URL parsing gone wrong triggering an RCE. Most likely they allowed something like file:// links which of course opens that file. Totally valid link, but the feature must be neutered to only http(s):// because people.
[1] (native GUI widgets? agggh)
Everyone has to prove their worth by involving more people in ever embiggening trainwrecks every quarters in this day and age just to maintain employment, and without tangibly threatening anyone else's while at it. That's where the features are coming from. That's what needs to be fixed. Which also goes way beyond engineering.
They spent the last few years entirely compromising their products rather than improving them.
They're all bundled with AI features (I absolutely don't need) and never in my life will I buy a mac for coding. My current laptop is HODL'ing and idk if this enshittification will end soon.
I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.
What should I do ?
I wonder though if there are more open and trusted modified Windows being developed out there because trying random modified Windows in team-os is not getting me some confidence
Thankfully I don't.
I use qemu in a docker container for many Windows related things, partially because I don't want to keep a "real" Windows system running and partially because I don't want to let that OS run outside of a VM or container.
It depends on your security mindset and goals, but I think we're far into the world of VMs and containers all the way down.
With respect to memory, try it and see. Modern Linux is very good at memory management, since it powers the entire data center world. You can certainly overcommit memory with Docker containers easily without a problem.
I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.
2. It costs an arm and a leg to replace parts on a Mac when you travel outside the United States. Replacing the keyboard on my first macbook cost the same as the actual price. I learnt my lesson. I don't need that Apple garbage in my life.
This has prompted me to move on from Notepad++ - it's sad, because I've used it for many years, but this is too much.
One could argue it's an issue with windows where you can't just pull updates using a package manager/app store.
But I guess that's what you get when you fragment your ecosystem in apt, snap and gnome extension manager. I need to master nix asap.
Ok, tabs, I do like the tabs.
https://gs.statcounter.com/windows-version-market-share/desk...
Not sure what caused the inflection point in December 2025.
I try to use Pinta/Paint.Net, but it's not quite as good as I remember psp being. I don't even hate the newer MS Paint... thought I'm only on windows for my work environment and even then.
Aside: I've been using my personal computer more, so I can work on a limited surface with docker and ai agent, then just bring in the components I'm working on when ready. My work environment is really locked down, no wsl, no docker... and it's like working in 2002 to some extent... It's literally easier for me to create stand-alone projects, work on a given feature in complete isolation... AI agent mostly to boilerplate the environment and most of the automated sanity tests, then I can focus on just what I'm working on.
Better to have no alpha-transparency than whatever this is. At least old Paint just turned it white, and you could manipulate the white layer, with this working with the alpha layer is a nightmare.
I copied out mspaint.exe and some resource files as well were needed.
It runs for me without error.
Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).
Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.
Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.
But some things just don’t run there (properly).
Like Assetto Corsa EVO or SimHub.
[1] https://www.protondb.com/app/3058630 [2] https://www.simhubdash.com/community-2/simhub-support/guide-...
The Web versions of Office, err MS 365, err CoPilot App.. (OMG!>!!>) ... aren't so bad to use in a Linux browser either.
You won't know until you try. My mum used all versions of Windows from 3.1 till Windows 7. She hated Windows 8, and that's when I decided to switch her to Linux (with XFCE) - and she felt the UI was a lot more familiar to her than Windows 8. I recently showed her a few screenshots of Windows 11, and she finds her current desktop (now on KDE) a lot more familiar than Windows 11. Same with Office, she prefers the older style toolbar of LibreOffice than the ribbon UI of modern versions Office.
So maybe install it on a spare device as a trial and see how they like it?
Update - it's just the games; I thought it had notepad and calc as well
It's because the program just calls a Windows API to display the version dialog of Windows itself.
By using a version that is _that_ old you do lose out on some of the actually useful updates legacy nodepad received, such as LF line ending support.
No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.
Ala Cmd+Shift+V on Mac
Obsidian has a mildly infuriating default of opening previews with ctrl shift v keys instead of pasting with no formatting.
ETA: I only noticed yesterday because a "sponsored suggestion" popped up when I was typing, which I've not seen before. So either they actually enabled it recently, or advertisers don't bid on the kinds of things I usually type.
ctrl-l is for the address box
At most I want the address box to do is look up a dns name. Which can still be a risk if I were to hit "enter" with sensitive information which could in some cases get pushed out to my DNS provider (which is me, but then it's possible the address would be pushed out to another resolver, and will also be logged in an unexpected place)
I've always have a suspicion that even with auto complete off, some sort of telemetry or obscure feature is still leaking browser address bar text.
Amazingly still works on Win 11 and still seems to keep it local (bypassing the windows search), so I'm pleased to report consistent results for 30 ish years.
Of course, now I've mentioned it out loud, it'll be the next thing to go...
I don't know if it's just me being old and grumpy, but everything windows 8 and later (server 2003) seems like half-baked, unfinished enshittification. Trying to do something even vaguely "advanced" to a network adapter puts me back in windows 95 land along with the run box. The "manage" pane with device & disk manager and logs is from a totally bygone era yet it seems to still be the only way of getting that information. The worst bit is, I'm not complaining. All the bits that look and feel like they've been forgotten since Windows 2000 are the easiest, least infuriating bits of the system I interact with.
The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.
Most of the features that were added in later versions: unicode, tabs, auto-reload, support for large files. CTRL+S is also nice.
AI! It needs AI. Did I guess it right?
https://github.com/christian-korneck/classic-windows-notepad
Extract both the ISO and reactos.cab wth 7zip.
[0] In the unlikely case that it isn’t there, you can add it through System > Optional Features > Add an optional feature.
Wordpad was the same but a rich text editor control.
There’s very little need for it to have ever become more.
After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe
At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…
Windows is just a mountain of shit.
Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?
Oh, what do you mean there's also SELinux, Snap, Flatpack, Docker, Podman, ...?
Because a compromised user could infect shared executables and spread the infection. A bit harder to do with etc but for sure possible. The main target would be infecting bash and you are done from the get go.
>when literally the only files that matter to me are in /home, which is a free-for-all?
The home folder's read write is usually restricted to the user. The only scenario where this isn't the case to my knowledge is Ubuntu where others can read it, but this is just a huge flaw in Ubuntu that almost no other distro has.
> The home folder's read write is usually restricted to the user.
Yeah, and that is the point. All user's programs including curl, wget, the web browser, anything else that connects to the network run as the user, and all the user's programs, by default, have access to everything inside ${HOME}.
Most people don't really care if /bin gets obliterated, but they do care dearly when /home/joe/photos/annies-2nd-birthday gets wiped.
You can always have two user accounts: oblio and unsafe-oblio anf have a shared folder between the two for transferring files. Or invest into some backup software.
And no, it's not "a lot of work" it's the bare minimum
We have supposedly all the smartest minds in the world working in tech and they haven't been able to create a simple, cheap, reliable cross platform solution for user data protection, backup and restore.
It's easier to blame users instead.
I even signed it and everything.
As for the desktop community… Well, it has a severe lack of professionals.
telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.
> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.
You have:
- Windows Sandbox (consumer-level sandbox) - Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access) - HyperV (VM hypervisor) - Edge Browsers
Don't get me wrong MSFT quality is dropping steeply, but this is still a strong point. For comparision, on Ubuntu, user folder by default can be read by all users.
Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.
Many Linux distros are also guilty of this, disabling the root account by default and having the only user have sudo privileges, just like Windows.
This hasn't been true since Vista. Kind of even before that with XP, it really showcased using multiple accounts to home users with a much more stylized user selection screen.
Uninstall Windows completely 4 years ago when Windows 11 was released heralding in a new era of absolutely insane, self-destructive, unnecessary and unwanted shit?
There is no valid excuse for this vulnerability. It's existence is a category error that's only possible because Microsoft has completely jumped the shark. Continuing to use /any/ of their products is a choice to accept pure insanity as a default.
https://github.com/microsoft/edit
Yeah, it's a re-creation of edit, but it's pretty great... also runs outside windows.
if there's really nothing more to this 8.8 RCE CVE than that, this will finally be the thing that's makes me blackhole cve.org.
I saved this as test.md, opened it in notepad, clicked the link, and it popped open a command line:
[Click me](C:/Windows/System32/cmd.exe)
Can definitely go further than this; just a quick test.
To be fair, though, it's not just a click -> open/run. The user has to `ctrl+click` and will see the source of the link (at least I do).
This isn't an AI slop problem.
The application of tools is.
There must be something much worse than slop going on to get to this point.
That's a slop if you ask me. Even if it wasn't vibe coded, it now want's me to vibe use it. Who the hell wanted that.
[1] https://en.wikipedia.org/wiki/Esoteric_programming_language#...
To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.
At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.
[1]https://github.com/microsoft/edit
> Windows Notepad
Disambiguation urgently needed.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
Notepad? Link handling?
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
Like, if I have a h2 or url, its going to show as special text rather than the h2 tag?
I mean... other than it creating vulnerability... and maybe is the beginning of the end of notepad as a plain text editor...
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
Because, almost entirely, the software development industry has disclaimed all responsibility. It's super common for people to try to do shit they have no experience or skill at, push their effort to be adopted by others, then when it crashes and burns they have no accountability. If software "engineers" adopted the rigors and accountability and dignity of traditional engineering, the industry would be very different.
It feels like a plague of ignorance and enshittification has silently taken over everything.
Markdown is more properly understood as a family of related-but-mutually-incompatible standards, like CSV, and like "supporting CSV" is a lot more complicated than meets the eye. And supporting Markdown is already clearly non-trivial compared to the baseline of Notepad we've come to expect over the past few decades.
The problem is that overall we seem to have fumbled both the concept and the implementation. There a bunch of vaguely similar but incompatible markdowns and apparently rendering them is too hard and people immediately reach for an enormous pile of software (usually a web stack) to render it for them.
It should have been entirely possible for a person to write a markdown parser in a couple hours and e.g. render paragraphs, bulleted lists and tables into a terminal.
You may be struggling a bit because you are reading some sort of moralization into the statement, some sort of emotional judgment, but there isn't any. It is clear that there does not exist a function that takes a span of "Markdown text" in and emits an abstract syntax tree that everyone agrees upon [1]. That's a fairly mathematical way of putting it, but even from an engineering point of view, the differences matter. Very quickly. It's not like you need to reach deep into crazy syntax to get to real, concrete disagreements between systems, you can hit problems with something as simple as
between the systems where they will do substantially different things.There are literally dozens of markdown formats now.
How we got there, why such a thing exists, as interesting as those questions may be none of them change the reality on the ground. There is no universal markdown to be appealed to. The closest is CommonMark, and that explicitly exists precisely because there was no consensus in the first place. If markdown was a format, CommonMark would never have been created.
[1]: Nor does its inverse, which at times is more frustrating to me than this. I have in mind what I want to do and either can't figure out how to do it or it simply can't be done.
But seriously though, all those weird markdown formats could easily just have their own custom parsers than then translate into the common format--supposing the common format is the union of all their features.
MS has WordPad... fck around with that to make it support markdown or whatever else beyond rtf you want it to support. For that matter, it's probably that much more appropriate to do so.
Do I typically use Notepad, no.. not really... I actually use the new rust based edit terminal app more than Notepad. That said, I expect notepad to do one thing... edit text files, and to not break doing so. The ONLY* addition that might be acceptable would be a HEX Editor mode, so you can edit any file.
There are maybe 5-7 applications in Windows I expect to never break... task manager, notepad, registry editor, file explorer, command prompt are at the top of that list... these are the golden tools that should never fail, even if everything else does.
There's also a pretty large jump between "I can ask the system to open this link in the default browser" and "I have built my own link handling in a memory-unsafe language to support some really fringe features, and oops it's exploitable"
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
Calculator hasn't been infiltrated by Copilot yet, but I'm sure the day is coming.
You're the preinstalled calculator!! You don't have to compete with other apps!!
1. Note about blah 2. Paste link to blah 3. Open that link later when reviewing my notes.
Blah is sometimes a web link, sometimes a link to a doc on my system, and sometimes a link to an item in my todo tracker. The better analogy is this is like a pencil having an eraser built in.
I use Drafts instead of Notepad, but if I used Notepad I would want to be able to easily open links in my notes. When I do find myself in Notepad, it's because I double clicked on a readme file that often contains links to resources I need.
If your computer was working, there was never really supposed to be a reason to invoke Notepad. Programmers were expected to install IDEs or third-party text-editor software. Microsoft's own READMEs have always been .rtfs ever since Windows 95. And so on. For a little while, you might use it to view system log files? But the Windows NT lineage gave Windows an Event subsystem with its own MMC-based console, so even that didn't require Notepad any more.
It's therefore bizarre that Microsoft have decided to "enhance" Notepad into this pseudo-rich-text thing, while also sunsetting Wordpad; when it seems like what they really wanted was to "enhance" Wordpad to also do what Notepad does, while sunsetting Notepad. (Even with full back-compat, they could have done this by making Notepad.exe a stub that launched Wordpad.exe with flags.)
1. You can use UNC paths to access remote servers via SMB
2. Even if it's local, it's still more useful than you make it out to be. For instance, suppose you downloaded a .zip file of some github project. The .zip file contains virus.exe buried in some subfolder, and there's a README.md at the root. You open the README.md and see a link (eg. "this project requires [some-other-project](subfolder\virus.exe)". You click on that and virus.exe gets executed.
Relevant article from The Old New Thing: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31...
Programs (this is true for most mainstream operating systems) can become network facing without realizing it. I've sometimes found a bunch of Windows programs sometimes tends to assume that I/O completes "instantly" (even if async I/O has been common on Windows for a very long time) and don't have a good UX for cancelling long running I/O operations
Is this not a problem with anything that offers a preview of markdown (or HTML, or anything with embedded links)?
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.
I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.
Nor should I.
As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.
[1]: https://cybersecuritynews.com/windows-notepad-rce-vulnerabil...
The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.
Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.
Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)
Just pull your flippin' head out of your ass, Microsoft. Holy shit.
Edit: going with EmEditor; forgot that existed
This should be treated as an all-out war.
The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.
but I do wish they had called it something else and kept notepad as txt only.
https://www.microsoft.com/investor/reports/ar25/index.html#
I can only think that they do not even care about Windows anymore, let alone Notepad...
Most of M$ office software has alternatives (Google Docs, OpenOffice...), M$ has no AI model and no AI labs to speak of, Github is constantly crashing and burning, Azure is garbage, and they uttery killed Xbox.
Oh and Linkedin is for actual psychopaths.
If Windows dies, all of their other junk that is attached to the platform will die as well.
What's delusional is making an unsubstantiated claims and then dismissing any counterarguments before they're made.
> Most of M$ office software has alternatives (Google Docs, OpenOffice...)
True. Yet MS Office is still the de facto standard.
> Github is constantly crashing and burning
True. But that doesn't mean it isn't still a business strategy for MS.
> Azure is garbage
Also true. But that doesn't mean it isn't profitable: "Microsoft Cloud revenue increased 23% to $168.9 billion."
> and they uttery killed Xbox
Quite the opposite. Xbox is thriving: "Xbox content and services revenue increased 16%."
> Oh and Linkedin is for actual psychopaths.
That's subjective. And even if it were true, that's got nothing to do with profitability (eg look at Facebook).
> If Windows dies, all of their other junk that is attached to the platform will die as well.
First off, literally no-one is claiming Windows is going to "die".
Secondly, even if it were to "die", you've provided no evidence why their other revenue streams wouldn't succeed when it's already been demonstrated that those revenue streams are growing, and in some cases, have already overtaken Windows.
I think they'll do just fine if Windows dies on the vine. They'll keep selling all the same software; even for PC gaming they already have their titles on Steam.
This is true. Peruse r/LinkedinLunatics to see them in action
The evidence in TFA is that Microsoft is much more than Windows. So much more in fact that one can make a very reasonable argument that it's no longer a top priority for them.
The delusion is shutting your eyes, covering your ears, and screaming about how literally everyone except you is wrong.
Is it just a well informed guess or do people decompile these programs?
Its job is to be robust, simple, and always available.
It's supposed to show you the symbols in markdown, not render them.
It is useful for opening potentially dangerous content in a 100% safe way, because "txt" should always be safe to inspect!
It is regularly used to open gigabyte-sized log files and the like, which it has to handle on machines with less free memory than that! Markdown rendering and similar features are fundamentally incompatible with this requirement because they require serialised parsing of the entire file instead of opening just tens of kilobytes at a time using memory mapping or whatever.
Notepad is also used to open files without taking a lock, allowing users to read files that are actively being written to. Again, incompatible with practically all parsing strategies.
The "new Notepad" is some dumbass executives pet project that overlaps with Visual Studio Code and is a shitty alternative to WordPad, which another dumbass executive axed for no good reason.