A Google Zero researcher has announced the discovery of a vulnerability in Notepad, the text editor that come standard with Microsoft Windows. The detected problem is described as a code execution flaw allowing for dangerous code to be started.
Code Execution Flaw Found in Notepad
A security researcher from Google’s Project Zero division called Tavis Ormandy has announced the discovery of a code execution flaw in Notepad, the well-known text editor used in Microsoft Windows. The problem was disclosed to Microsoft and was publicly reported after 90 days have passed since the private report. At the moment no additional information is available as Microsoft has not patched the issue yet. The company is yet to release a patch to fix the problem.
It is anticipated that the flaw relies in a memory corruption bug in the application. The security researcher has demonstrated how to pop up a command shell by using the Notepad application alone. The good news about this particular threat is that the bug was privately disclosed to Microsoft allowing the company to make a patch in due time and prevent any abuse by criminal collectives. To this date no information is available about any hacking attempts that have facilitated with this particular bug.
There are several probable scenarios that can be used in an attack campaign:
- Malware Payload Delivery — The hackers can send out dangerous files that include the necessary code in order to execute dangerous code via Notepad interaction.
- Social Engineering and Manipulation — The criminals can use elaborate mechanisms and scams that can manipulate the target users into entering certain commands that will open a shell and execute malicious commands.
It is expected that the next monthly security patches for Windows will contain fixes for the Notepad vulnerability.