Remote code execution flaw detected in Microsoft’s Notepad text editor
- As per Project Zero’s vulnerability disclosure policy, Microsoft has to release a patch within 90 days of discovery of the flaw.
- Failing to release a patch within the given timeline, will result in the disclosure of technical details of the flaw.
Microsoft’s Notepad text editor has been found to be vulnerable to a newly discovered remote code execution flaw.
In a Twitter post, Google Project Zero researcher Travis Ormandy revealed that he has identified a remote code execution vulnerability in Microsoft’s Notepad text editor.
Ormandy has reported the issue to Microsoft. As per Project Zero’s vulnerability disclosure policy, Microsoft has to release a patch within 90 days of the discovery after which the technical details of the flaw will be disclosed to the public.
Earlier, Ormandy anticipated that the vulnerability was a memory corruption bug. He even shared an image, demonstrating how to launch a Command Prompt. The expert confirmed that he has already developed a ‘real exploit’ for the issue.
The bottom line
Chaouki Bekrar, a founder of zero-day broker Zerodium has explained that such type of issue found by the Google white hat hacker is not uncommon. He noted it is not the only vulnerability that can be used ‘pwn’ Notepad.