Skip to main content

Notepad has a major security flaw that leaves Windows PCs vulnerable to hackers

Microsoft Surface laptop
Microsoft Image Gallery/Microsoft

A new security flaw has been discovered in one of the Windows operating system’s simplest apps: Notepad.

According to TechRadar, a security researcher has recently discovered a major vulnerability in Windows PCs involving Microsoft’s most basic text editor. The Notepad security flaw, as discovered by Google Project Zero security researcher Tavis Ormandy, could be exploited to let hackers take over whole computers “simply by loading some malicious code using Notepad.” And this particular flaw may affect PCs running versions of Windows as early as Windows XP.

The flaw itself, as TechRadar notes, involves taking advantage of a weakness in the Windows Text Services Framework. (This framework deals with things like text inputs, text processing, and keyboard layouts.) Within this framework is the source of the security flaw itself, a component known as CTextFramework. And as The Register reports, this component has its own security flaws that ultimately render it vulnerable to being hacked “via applications that interact with it to handle text on screen.”

Furthermore, TechRadar notes that Ormandy’s investigation into the Notepad flaw essentially found that the system’s security protocols “can be easily bypassed” and could allow hackers to not only increase their access privileges but also “gain access to multiple systems across the victim’s device.”  Ormandy’s blog post on the matter further described the extent of the CTextFramework vulnerability:

“Firstly, there is no access control whatsoever! Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications – even privileged applications – to connect to you. Even when working as intended, CTF could allow escaping from sandboxes and escalating privileges.”

According to TechRadar and ZDNet, Microsoft has released a patch for this flaw, which is officially known as CVE-2019-1162. This patch was released on Tuesday, August 13, as part of Microsoft’s monthly release of security updates known as Patch Tuesday. ZDNet reports that the August 2019 edition of Patch Tuesday included patches for a total of 93 security flaws.

Editors' Recommendations

Anita George
Anita has been a technology reporter since 2013 and currently writes for the Computing section at Digital Trends. She began…
Are Windows 11 security features killing your gaming performance? You might be surprised
A gaming laptop with the ReSpec brand over it.

Microsoft resurrected a controversial topic in the PC gaming community recently: Windows 11's security features. Days after Windows 11 launched, there was an outcry among PC gamers due to a security feature that is enabled by default in Windows 11. In particular, Virtualization Based Security or VBS.

PCGamer cried foul after it noticed a 28% drop in Shadow of the Tomb Raider, but Windows 11, at the time, was experiencing gaming performance drops of 15% or more in some cases, so the results didn't sound out of order.

Read more
This Microsoft Teams exploit could leave your account vulnerable
A video call in Microsoft Teams is displayed on a laptop.

According to analysts from cybersecurity company Vectra, there's a massive vulnerability within Microsoft Teams, and countless users could potentially be affected if hackers gets their hands on it.

The program has a flaw that makes it possible for attackers to steal the login credentials of users and log into their accounts. Unfortunately, Microsoft is not planning to patch this right now, so read on to make sure you're staying safe from this unexpected Microsoft Teams issue.

Read more
This severe TikTok vulnerability gives hackers 70 ways to steal your info
Person's hand holding a smartphone with TikTok's logo on screen, all in front of a blurred background.

After internal testing, Microsoft discovered an exploit in the Android version of TikTok that could have given attackers access to huge amounts of personal data with a single click.

The vulnerability has already been fixed, and it does not appear that anyone has been affected by the exploit. The attackers could have used this vulnerability to access user profiles, allowing outside forces to publicize private videos, send messages, and even upload videos.

Read more