Get AI summaries of any video or article — Sign up free
Why is Microsoft updating their text editors!? | TheStandup thumbnail

Why is Microsoft updating their text editors!? | TheStandup

The PrimeTime·
5 min read

Based on The PrimeTime's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Windows Notepad’s Markdown link rendering can route clicked link strings through ShellExecute rather than safely constraining them to browser behavior.

Briefing

Microsoft’s built-in Notepad and the community-favorite Notepad++ both ended up tied to serious security problems—one rooted in how Notepad handles Markdown links, the other in how Notepad++ updates can be hijacked. The core takeaway is that “just a text editor” has become a high-value target because modern features (like link parsing and auto-updaters) can turn harmless-looking clicks and update prompts into pathways for code execution.

For Windows Notepad, the trouble starts with Markdown support. When a Markdown file is opened, Notepad parses link syntax and renders clickable links. But instead of treating those links as something that should be safely handed off to a web browser, the implementation preserves the raw URL string and then passes it directly into Windows’ ShellExecute mechanism when the user clicks. ShellExecute is designed to route “open” requests to whatever protocol handler or registered application matches the input. That means a link that looks like a normal web URL can, in principle, be replaced with other protocol-style commands—such as file paths or installer-style handlers—leading to execution with the user’s permissions.

Microsoft had already removed a particularly dangerous ShellExecute capability in 2024: automatic handling of installer apps via MS-AppInstall. With that removed, the “maximal” version of the Notepad exploit—where a crafted link could trigger a download-and-install flow—would be blocked by a warning dialog telling users that auto-install is no longer allowed. Still, the underlying issue remains: the click path relies on ShellExecute with insufficient hardening, so the safety of the outcome depends heavily on what Windows will do with the provided string.

Notepad++ presents a different, more alarming scenario. The attack chain doesn’t rely on a single click to run arbitrary commands; it targets the update process itself. Notepad++ uses an updater (referred to in the discussion as “WinG”/“wings” updater) that checks a website for an XML payload describing the latest version and then prompts the user to download it. In the vulnerable period, the updater lacked cryptographic integrity checks for the update metadata and the downloaded binaries. That opens the door to man-in-the-middle attacks: if an attacker can intercept the update traffic, they can serve a malicious Notepad++ update.

The sophistication escalates further. Rather than poisoning updates broadly, researchers believe attackers selectively targeted high-value victims—only delivering the malicious update to specific IPs. The malicious payload used a legitimate signed executable (described as coming from Bit Defender) but swapped out a loaded DLL so the signed wrapper could load attacker-controlled code. The result is that the victim believes they’re updating Notepad++, but the system runs a renamed malicious service (“Bluetooth service”) that carries the exploit payload. Researchers at Rapid7 reportedly had to work through a small number of affected machines to reconstruct the chain.

Together, the incidents show how security risk can emerge from everyday usability features: Markdown link handling that routes through ShellExecute, and update systems that don’t verify what they download. Even when protections exist (like the removal of MS-AppInstall handling), the broader lesson is that “safe by default” assumptions no longer hold for core productivity tools.

Cornell Notes

The discussion centers on two security incidents affecting Windows text editors: Microsoft Notepad and Notepad++. Notepad’s Markdown support renders clickable links, but the click handler passes the raw link string into Windows ShellExecute, which can route to protocol handlers and potentially execute unintended actions. Microsoft mitigated the worst-case path by removing MS-AppInstall handling in 2024, reducing the “download-and-install” style exploit. Notepad++ faced a more dangerous threat model: its update mechanism lacked cryptographic validation, allowing man-in-the-middle attackers to deliver malicious updates. Researchers believe attackers targeted specific high-value victims and used a signed executable with a swapped DLL to evade some defenses, making the compromise harder to detect.

Why does Notepad’s Markdown link feature create a security risk beyond “opening a URL in a browser”?

Notepad parses Markdown links and makes them clickable, but when clicked it preserves the raw URL string and passes it to Windows ShellExecute. ShellExecute is a general “open” router that consults registered protocol handlers and applications. That means the input isn’t guaranteed to be treated strictly as an HTTPS web link; it can be interpreted according to what handlers exist on the machine, potentially enabling actions other than launching a browser.

What role did Microsoft’s 2024 removal of MS-AppInstall play in limiting the Notepad exploit?

ShellExecute historically could handle installer-style protocol behavior via MS-AppInstall, which could enable a crafted link to trigger an install flow (download and run) from a remote location. The discussion says Microsoft removed that capability in 2024, so the maximal exploit path would instead trigger a dialog warning that auto-install is no longer allowed, preventing the most severe one-click install scenario.

How did the Notepad++ update system become exploitable?

Notepad++ used an updater that fetched an XML payload from a website to determine the latest version and then prompted the user to download it. In the vulnerable period described, the updater did not validate the update metadata or the downloaded binaries with cryptographic integrity checks. Without signature or hash verification, an attacker who can intercept the update traffic could supply a malicious update.

Why was the Notepad++ attack harder to notice than a broad supply-chain compromise?

Instead of poisoning updates for everyone, researchers believe attackers selectively served the malicious update only to specific high-value targets (identified by IP). That means most users would see normal updates and security monitoring would have fewer anomalies to catch, making the campaign more stealthy.

What was the “signed executable + swapped DLL” tactic used in the Notepad++ compromise?

The malicious update reportedly included a legitimate signed executable (described as associated with Bit Defender), but with a DLL replacement. The signed wrapper would pass security checks tied to the executable’s signature, while the swapped DLL would load attacker-controlled code at runtime. The discussion describes the resulting process as a renamed service (“Bluetooth service”) that actually runs the exploit payload.

Review Questions

  1. What is the difference between handing a URL to a browser versus routing it through ShellExecute, and why does that matter for security?
  2. How do cryptographic integrity checks (or their absence) change the threat model for software updaters?
  3. Why would selective targeting of high-value victims make an update-based attack more difficult for defenders to detect?

Key Points

  1. 1

    Windows Notepad’s Markdown link rendering can route clicked link strings through ShellExecute rather than safely constraining them to browser behavior.

  2. 2

    ShellExecute acts as a protocol/application router, so unsafe inputs can be interpreted according to installed handlers and verbs.

  3. 3

    Microsoft’s 2024 removal of MS-AppInstall handling reduced the worst-case “click-to-install” severity for the Notepad ShellExecute path.

  4. 4

    Notepad++ became vulnerable through an updater that lacked cryptographic validation of update instructions and downloaded binaries.

  5. 5

    A man-in-the-middle attacker could serve a malicious Notepad++ update if the updater didn’t verify authenticity.

  6. 6

    The most damaging Notepad++ compromises were reportedly selective, targeting specific high-value victims rather than everyone.

  7. 7

    Attackers reportedly used signed executables with swapped DLLs to make malicious payloads harder to spot.

Highlights

Notepad’s Markdown links were clickable, but the click path relied on ShellExecute with the raw link string—turning a “text link” into a potential execution primitive.
The MS-AppInstall removal in 2024 blocked the most severe Notepad scenario, but the underlying ShellExecute risk still depended on hardening.
Notepad++’s updater lacked cryptographic integrity checks, enabling man-in-the-middle delivery of malicious updates.
Researchers believe attackers selectively poisoned updates only for certain IPs, reducing widespread detection signals.
The Notepad++ payload reportedly combined a legitimate signed executable with a replaced DLL to load attacker code while keeping the outer signature intact.

Topics

  • Notepad Security
  • Notepad++ Updates
  • ShellExecute
  • Markdown Links
  • Man-in-the-Middle Attacks

Mentioned

  • CVE
  • MSI
  • DLL
  • XML
  • IP
  • MITER
  • HTTP
  • SSH
  • C-Pilot

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library