Skip to main content
  1. Home
  2. Computing
  3. News

Notepad has a major security flaw that leaves Windows PCs vulnerable to hackers

Add as a preferred source on Google
Microsoft Surface laptop
Microsoft Image Gallery/Microsoft

A new security flaw has been discovered in one of the Windows operating system’s simplest apps: Notepad.

According to TechRadar, a security researcher has recently discovered a major vulnerability in Windows PCs involving Microsoft’s most basic text editor. The Notepad security flaw, as discovered by Google Project Zero security researcher Tavis Ormandy, could be exploited to let hackers take over whole computers “simply by loading some malicious code using Notepad.” And this particular flaw may affect PCs running versions of Windows as early as Windows XP.

Recommended Videos

The flaw itself, as TechRadar notes, involves taking advantage of a weakness in the Windows Text Services Framework. (This framework deals with things like text inputs, text processing, and keyboard layouts.) Within this framework is the source of the security flaw itself, a component known as CTextFramework. And as The Register reports, this component has its own security flaws that ultimately render it vulnerable to being hacked “via applications that interact with it to handle text on screen.”

Furthermore, TechRadar notes that Ormandy’s investigation into the Notepad flaw essentially found that the system’s security protocols “can be easily bypassed” and could allow hackers to not only increase their access privileges but also “gain access to multiple systems across the victim’s device.”  Ormandy’s blog post on the matter further described the extent of the CTextFramework vulnerability:

“Firstly, there is no access control whatsoever! Any application, any user – even sandboxed processes – can connect to any CTF session. Clients are expected to report their thread id, process id and HWND, but there is no authentication involved and you can simply lie. Secondly, there is nothing stopping you pretending to be a CTF service and getting other applications – even privileged applications – to connect to you. Even when working as intended, CTF could allow escaping from sandboxes and escalating privileges.”

According to TechRadar and ZDNet, Microsoft has released a patch for this flaw, which is officially known as CVE-2019-1162. This patch was released on Tuesday, August 13, as part of Microsoft’s monthly release of security updates known as Patch Tuesday. ZDNet reports that the August 2019 edition of Patch Tuesday included patches for a total of 93 security flaws.

Anita George
Anita George has been writing for Digital Trends' Computing section since 2018. So for almost six years, Anita has written…
Gemini Spark lands on the Mac, and it wants to tackle your chores while you relax
From messy downloads to date night reservations, Spark is here to lighten your load.
Gemini Spark mac app

Google has just announced a big batch of updates for Gemini Spark, making the assistant far more useful than before. Gemini Spark is finally coming to the Mac desktop app, bringing deeper app connections and a new way to keep tabs on what you care about. Let us break it down.

What can Spark do on your Mac now?

Read more
Anthropic finally brings back Claude Fable 5, but you’ll have to live with a temporary usage limit
Anthropic has received a green light from the US government to restore the AI Model, weeks after a security researcher found a way around its safeguards that triggered the shutdown.
Laptop running Claude Fable

Anthropic is restoring full access to Claude Fable 5 starting tomorrow, weeks after a US government directive forced the company to suspend the model for all users. The government order arrived on June 12 and required Anthropic to block foreign nationals from using Fable 5 and its more capable Mythos 5 model. Since the rule took effect immediately and Anthropic had no way to verify a user's nationality in real time, the company suspended both models entirely rather than risk a violation.

What triggered the shutdown

Read more
Claude’s Sonnet 5 is built to do more on its own and cost you less
Better than its predecessor, nearly as good as the flagship, and meaningfully cheaper than both.
Art, Floral Design, Graphics

Every major AI lab is racing to prove its models can work autonomously with minimal hand-holding; we’re now seeing pricing emerge as the next battleground. 

Anthropic just fired its latest shot, Claude Sonnet 5, a model the company says performs nearly as well as its flagship Opus 4.8 at a fraction of the cost.

Read more