Skip to main content

Notepad has a major security flaw that leaves Windows PCs vulnerable to hackers

Microsoft Surface laptop
Microsoft Image Gallery/Microsoft

A new security flaw has been discovered in one of the Windows operating system’s simplest apps: Notepad.

According to TechRadar, a security researcher has recently discovered a major vulnerability in Windows PCs involving Microsoft’s most basic text editor. The Notepad security flaw, as discovered by Google Project Zero security researcher Tavis Ormandy, could be exploited to let hackers take over whole computers “simply by loading some malicious code using Notepad.” And this particular flaw may affect PCs running versions of Windows as early as Windows XP.

Related Videos

The flaw itself, as TechRadar notes, involves taking advantage of a weakness in the Windows Text Services Framework. (This framework deals with things like text inputs, text processing, and keyboard layouts.) Within this framework is the source of the security flaw itself, a component known as CTextFramework. And as The Register reports, this component has its own security flaws that ultimately render it vulnerable to being hacked “via applications that interact with it to handle text on screen.”

Furthermore, TechRadar notes that Ormandy’s investigation into the Notepad flaw essentially found that the system’s security protocols “can be easily bypassed” and could allow hackers to not only increase their access privileges but also “gain access to multiple systems across the victim’s device.”  Ormandy’s blog post on the matter further described the extent of the CTextFramework vulnerability:

“Firstly, there is no access control whatsoever! Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications – even privileged applications – to connect to you. Even when working as intended, CTF could allow escaping from sandboxes and escalating privileges.”

According to TechRadar and ZDNet, Microsoft has released a patch for this flaw, which is officially known as CVE-2019-1162. This patch was released on Tuesday, August 13, as part of Microsoft’s monthly release of security updates known as Patch Tuesday. ZDNet reports that the August 2019 edition of Patch Tuesday included patches for a total of 93 security flaws.

Editors' Recommendations

Microsoft has new tools to encourage the transition to ARM PCs
Project Volterra by Microsoft

The transition to ARM chips on Windows has been agonizingly slow, but Microsoft is attempting to put some better tools in the hands of developers to help things along. Just announced at Build 2022, Project Volterra is a new device that shows off the possibilities of ARM chips on Windows.

To be clear -- this isn't a consumer PC. Project Volterra is a developer kit designed to "leverage the power of the Snapdragon Compute Platform," supporting the wide range of scenarios developers can explore.

Read more
The Windows 11 update rollout has finally ended
Person sitting and using a Windows Surface computer with Windows 11.

Windows 11 is now available for everyone, over seven months since the rollout began in October 2021. As of yesterday, Windows 11 has been designated for broad deployment, which means any PC that meets the minimum requirements can now acquire the operating system through Windows Update.

Until now, Microsoft has rolled out the option to upgrade to Windows 11 based on the device's hardware compatibility. Now anyone can get the update, as long as they still meet those minimum standards.

Read more
More PCs are running Windows XP than Windows 11
Person sitting and using an HP computer with Windows 11.

Even though Microsoft is heavily promoting its latest Windows 11 platform, adoption of the operating system has largely hit a roadblock. The latest market research suggests that Windows 11 is running on just 1.44% of all PCs on the market today, placing the latest OS behind older, legacy platforms like Windows XP and Windows 7.

For comparison, asset manager software provider Lansweeper's market data revealed that older, legacy operating systems, such as Windows XP and Windows 7, command a larger share of the market than Windows 11.

Read more