Vulnerability researcher at Google found code execution vulnerability in Microsoft Notepad

Tavis Ormandy, a security engineer at Google’s security lab, said on Twitter that a zero-day vulnerability has been found in the Notepad program. From the screenshot released by Tavis Ormandy on Twitter, the security engineer successfully launched the CMD command prompt window under the notepad process.

Am I the first person to pop a shell in notepad? 🤣 ….believe it or not, It's a real bug! 🐞 pic.twitter.com/t2wTh7E93p

— Tavis Ormandy (@taviso) May 28, 2019

And for the zero-day vulnerability found in Notepad, Tavis is as surprised as we are, after all, this traditional application has been with us for many years. According to the public information source, the vulnerability may be a memory corruption vulnerability. The TXT text file can really be used to launch an attack.

In view of the vulnerability, the security engineer was unable to disclose the details of the vulnerability before the fix. In the Twitter reply, Tavis said that the vulnerability has been submitted to Microsoft. At the beginning of the year, Microsoft replied that this is not a loophole but Tavis submitted more evidence. Tavis said that he has confirmed that the vulnerability is indeed effective, so it is not a joke. Now we can only know the details after Microsoft fixes the vulnerability.

The founder of information security company ZERODIUM commented that it is not uncommon to find vulnerabilities in Notepad, but most of the vulnerabilities were sold by hackers. So what is really rare is that security experts have discovered the vulnerability of Notepad and reported the vulnerability to Microsoft instead of directly selling the vulnerability directly.