> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
That's like my pencil having a CVE that's to do with how it loads the ink. That old saying about 'if Microsoft built a car' is more true now than it was then: https://www.snopes.com/fact-check/car-balk/
> Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light.
> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.
> You would press the 'start' button to shut off the engine.
If you live long enough, satire eventually becomes reality.
The desperation for feedback is grating. You have a monopoly position, you know I cannot switch from this, why waste my time with this dialogue? Not like you take user opinions seriously anyway.
It's hard for me to imagine anyone balking at this feature. My core note taking workflow frequently involves:
1. Note about blah
2. Paste link to blah
3. Open that link later when reviewing my notes.
Blah is sometimes a web link, sometimes a link to a doc on my system, and sometimes a link to an item in my todo tracker. The better analogy is this is like a pencil having an eraser built in.
I use Drafts instead of Notepad, but if I used Notepad I would want to be able to easily open links in my notes. When I do find myself in Notepad, it's because I double clicked on a readme file that often contains links to resources I need.
But then notepad wouldn't be fetching the content. While I would still prefer notepad to be simple, and just making you copy paste the link, I would expect it to forward a link a browser, or something. I would not expect notepad to go out and fetch random content from the internet.
Notepad stuck around in Windows for so long, despite Wordpad also being built-in, because Notepad was supposed to be for e.g. editing C:\AUTOEXEC.BAT or C:\Windows\System32\hosts.txt in Safe Mode. It was basically supposed to be the /bin/sh to Wordpad's /bin/bash — the thing that'll save you in maintenance mode when the system is so hosed that nothing more complex will launch.
If your computer was working, there was never really supposed to be a reason to invoke Notepad. Programmers were expected to install IDEs or third-party text-editor software. Microsoft's own READMEs have always been .rtfs ever since Windows 95. And so on. For a little while, you might use it to view system log files? But the Windows NT lineage gave Windows an Event subsystem with its own MMC-based console, so even that didn't require Notepad any more.
It's therefore bizarre that Microsoft have decided to "enhance" Notepad into this pseudo-rich-text thing, while also sunsetting Wordpad; when it seems like what they really wanted was to "enhance" Wordpad to also do what Notepad does, while sunsetting Notepad. (Even with full back-compat, they could have done this by making Notepad.exe a stub that launched Wordpad.exe with flags.)
Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.
Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.
You cannot claim you're "against feature bloat" while then in the same breath say that it is acceptable that a basic text editor have an entire additional render pipeline.
If you want Markdown use VSCode, it is a first class citizen. Don't take an intentionally stripped down text editor and bolt on VSCode-like features.
As I posted in a sibling, I thought the whole point of markdown was that it was simplified to the point that rendering it was easy to do from scratch. But we fumbled that because we (collectively) have no idea what we are doing.
The whole point of markdown is that it is easily readable and editable and the structure is evident without being rendered. That it doesn't strictly need to be rendered in all or any context is its utility.
>But we fumbled that because we (collectively) have no idea what we are doing.
Because, almost entirely, the software development industry has disclaimed all responsibility. It's super common for people to try to do shit they have no experience or skill at, push their effort to be adopted by others, then when it crashes and burns they have no accountability. If software "engineers" adopted the rigors and accountability and dignity of traditional engineering, the industry would be very different.
And on top of that, now we have people letting LLMs go to town on their work, even though the things can't program worth a damn, all because those people can't be assed to actually program (you know, their job). We're entering very dark days for software quality, unfortunately.
The main problem with "Markdown support" in Notepad is that "Markdown support" is an ill-defined phrase. The closest thing to a well-defined definition is to support CommonMark but that is far, far from universal. Microsoft being Microsoft they'd probably still half-ass the job then just declare their new half-ass support a newly embraced-and-extended standard and leave it that way for the next 20 years, so asking Notepad to support Markdown is in practice asking for yet another effing Markdown dialect to come into existence and join the shambling hoard of other dialects.
Markdown is more properly understood as a family of related-but-mutually-incompatible standards, like CSV, and like "supporting CSV" is a lot more complicated than meets the eye. And supporting Markdown is already clearly non-trivial compared to the baseline of Notepad we've come to expect over the past few decades.
I might be dumb, but I thought the whole point of markdown was to get rid of all the bells and whistles of styling, having a really simplified and dumb format that only outlines structure. The follow-on being that many tools could parse, transform and render said markdown files in a way that makes sense for them. That way there's lots of tools that don't share code, but a shared definition of the format. I.e. markdown is a format (!?).
The problem is that overall we seem to have fumbled both the concept and the implementation. There a bunch of vaguely similar but incompatible markdowns and apparently rendering them is too hard and people immediately reach for an enormous pile of software (usually a web stack) to render it for them.
It should have been entirely possible for a person to write a markdown parser in a couple hours and e.g. render paragraphs, bulleted lists and tables into a terminal.
Goals aren't results. It was a goal for Markdown to be simple and universal. It is not a result.
You may be struggling a bit because you are reading some sort of moralization into the statement, some sort of emotional judgment, but there isn't any. It is clear that there does not exist a function that takes a span of "Markdown text" in and emits an abstract syntax tree that everyone agrees upon [1]. That's a fairly mathematical way of putting it, but even from an engineering point of view, the differences matter. Very quickly. It's not like you need to reach deep into crazy syntax to get to real, concrete disagreements between systems, you can hit problems with something as simple as
"_hello world _"
between the systems where they will do substantially different things.
There are literally dozens of markdown formats now.
How we got there, why such a thing exists, as interesting as those questions may be none of them change the reality on the ground. There is no universal markdown to be appealed to. The closest is CommonMark, and that explicitly exists precisely because there was no consensus in the first place. If markdown was a format, CommonMark would never have been created.
[1]: Nor does its inverse, which at times is more frustrating to me than this. I have in mind what I want to do and either can't figure out how to do it or it simply can't be done.
The answer, of course, is to design a new, universal markdown format :)
But seriously though, all those weird markdown formats could easily just have their own custom parsers than then translate into the common format--supposing the common format is the union of all their features.
Markdown is readable as plain text, that's kind of the point of it
There's also a pretty large jump between "I can ask the system to open this link in the default browser" and "I have built my own link handling in a memory-unsafe language to support some really fringe features, and oops it's exploitable"
No, that's exactly what the vulnerability is as far as I know.
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files." https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
Wordpad, Notepad++ and many others highlight and let you double-click the URL in the first three lines, and yes they use the shell to open cmd.exe, yes they open remote shares (which if they're properly remote, the shell throws up a warning prompt asking if you want to connect). Wordpad always prompts if you want to open the link (and shows the link) before doing it, but you can click "Yes".
What's beyond the pale is that MS's new Notepad highlighted custom URIs like the fourth link, and let you click to open it without a prompt. Even web browsers will prompt at least once with a special modal dialogue, the first time you click on a link to a custom URI. For safety, a text editor should stick to highlighting http/https/file URIs only.
That's the "RCE", in the same way that telling a Linux user to type "curl | sudo bash" in their shell is "RCE".
The fix is that clicking the link now gives a dialogue box asking if you really want to click it, and remember to click no if you're not sure.
I wish they made this clearer as being the issue. It's what it came across to me like, but I couldn't actually say for sure that's what they meant because the CVE pages didn't make it obvious. And the comments here didn't help because everyone is just complaining about feature creep rather than discussing the actual problem.
Anyway, what this now has me thinking is, should protecting against this be expected to be done per-app or should it be at the OS level? It seems like it would make more sense to have the OS keep records on what application is allowed to open what kinds of links. Maybe with some mechanism to allow the app to cooperate with the OS if they want finer-grained permissions (such as a chat app passing the poster's user ID to the OS when invoking the link, so you could set an 'always allow' rule for links from specific users rather than the full app).
Just... no... not notepad.. Notepad should be the single-simplest of text editors, always has been, always should be... it should be "safe" much like "task manager" it should be as simple and bulletproof as any application in Windows are... these are essential tools that should never, ever, ever break.
MS has WordPad... fck around with that to make it support markdown or whatever else beyond rtf you want it to support. For that matter, it's probably that much more appropriate to do so.
Do I typically use Notepad, no.. not really... I actually use the new rust based edit terminal app more than Notepad. That said, I expect notepad to do one thing... edit text files, and to not break doing so. The ONLY* addition that might be acceptable would be a HEX Editor mode, so you can edit any file.
There are maybe 5-7 applications in Windows I expect to never break... task manager, notepad, registry editor, file explorer, command prompt are at the top of that list... these are the golden tools that should never fail, even if everything else does.
Old notepad is still there, it's just in System32 and you have to disable app execution alias for notepad.exe (apps > advanced app settings > app execution aliases)
FYI, old notepad has a permanent advertisement / notification at the top saying that there's a new version of Notepad available!
I'm not sure if it's possible to get rid of the nag banner. And even if it is possible to get rid of it temporarily, it's probably not possible to get rid of it permanently.
Oh, so Microsoft can never, ever, possibly resurrect the product or even name of the product again? This is even more reason why it was probably a better place tp put features like a markdown editor.
The problem is notepad itself would download and execute bad stuff if you click the evil link. If you would paste that same link in a browser you'd be ok.
And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.
Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE
I believe it is. Just tested it. You can make the link "C:\windows\system32\cmd.exe" and clicking it will launch the Command Prompt. I noticed you can't make it "C:\windows\system32\cmd.exe /c some-nefarious-thing"; it doesn't like the space. Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.
>Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.
1. You can use UNC paths to access remote servers via SMB
2. Even if it's local, it's still more useful than you make it out to be. For instance, suppose you downloaded a .zip file of some github project. The .zip file contains virus.exe buried in some subfolder, and there's a README.md at the root. You open the README.md and see a link (eg. "this project requires [some-other-project](subfolder\virus.exe)". You click on that and virus.exe gets executed.
Programs (this is true for most mainstream operating systems) can become network facing without realizing it. I've sometimes found a bunch of Windows programs sometimes tends to assume that I/O completes "instantly" (even if async I/O has been common on Windows for a very long time) and don't have a good UX for cancelling long running I/O operations
Something interesting I found while looking up Hungry Jacks (the Burger King franchise here in Australia) is that the angry Whopper is a normal menu item here but it seems to be only a seasonal/special item for Burker King.
See the chopped "rld" on the left? That's the link to the "World" section. To the left of that off the screen should be the "U.S." section. But there's no horizontal scroll bar or any way to get to it, or any way to even know it exists. Categories spill off the right too, and you can't get to those either. This anti-feature, in the name of accessibility has actually just made things worse.
For reference, here's the totally sensible result if you just don't enable "zoom text only": https://i.imgur.com/Kkd5aOu.png
Also even limited to visible spectrum, I have not seen any 99 CRI bulbs. The highest one I have ever found are the 98 CRI by YujiLED, but you pay around $35 for a single bulb. It is absolutely not "easy" to get flicker-free high CRI bulbs, let alone ones that cover the infrared range.
Phillips, GE, Cree, and others sell high-CRI bulbs.
10 years ago you had to work to find high CRI bulbs but could still find Cree bulbs pretty easily. Now you can get high CRI bulbs at the grocery store.
High CRI bulbs generally have low or no flicker because high CRI is toward the premium end of the market.
Almost all of the bulbs you can find at a hardware store (let alone grocery store) exhibit terrible 120hz flicker. I know because I've literally tried every single one. Also it's not hard to get "high" (~90-94) CRI while nonetheless having terrible deep reds.
Out of the manufacturers you listed, only Philips Ultra Definition (95 CRI, R9 90) have low flicker and good R9. Unfortunately they are poorly made and I have to keep buying new packs each year but it's more cost effective than Yuji for lesser used areas.
Also the claim from TFA is that NIR component improves visual performance (and I've read elsewhere that NIR also has health benefits).
How about Phillips flicker-free "warm glow" bulbs? I honestly have a hard time believing that they flicker because I can literally unscrew the bulb and watch it dim gradually over the course of a second. Which indicates to me that there's a capacitor in front of the LED drivers smoothing the current out. (Which I guess is required to be compatible with triac dimmers anyway.)
Never tried those, but speaking about flicker, some LED lamps flicker not because of the mains frequency (50/60 Hz depending on where you live) but because of their internal switching power supplies.
It's mostly a crapshoot even within the same model line. Even under "Philips UltraDefinition" some styles have high flicker while others don't. I'm not sure being dimmable is any guarantee of smoothing quality, in fact dimming is usually implemented with PWM as I understand so the easy solution to avoid flicker of chucking a smoothing capacitor on there might make it harder to implement dimming. (To dim properly without noticeable I think you'd have to PWM in the kHz range. Even cheap CFLs necessarily had the technology to operate on this frequency, for some reason it seems rare for LEDs to do it.)
They are specifically advertised to be compatible with old dimmers. I'm not an EE but old dimmers are implemented with triac which necessitates some juicy capacitors to hold the charge. Of course they could reintroduce flicker later in the pipeline for some reason, but why would they?
Huh, through experience with (mostly non-premium) LED bulbs, I've learned to interpret "gradually dims over the course of a second" an an early indicator of imminent bulb failure.
If you look at energy efficiency, it totally is. But the whole point in the discussion is that IR _might_ (according to the paper) have biological relevance.
You can't buy heat lamps? They are even more infrared and last longer.
Also LED lighting can have infrared, have a significantly more smoother spectrum curve and still last +20k hours without burnout. The cheaper bulb spectra that they show is a blue led + phosphor coating, but there are infrared LEDs, UV leds, and more. You can make quite the convincing sun simulation, even better than any incandescent bulb, but there is almost no demand for UV + Infrared super full spectrum lighting unfortunately. Only movie & theater lights come close.
>LED lighting can have infrared, have a significantly more smoother spectrum curve and still last +20k hours without burnout
Do you have a link to a bulb that you can purchase meeting all these criteria? The only one I'm aware of was this obscure "StarLike" that was never actually sold in bulk. LEDs can be made good in theory sure, but in practice they are all terrible in light quality compared to a standard incandescent.
You would need to see the spectra of the various LEDs available and create a mix along with phosphor mixes. The closest thing is something like a BLAIR-CG light engine from aputure where they have something like 9 different colors of LEDs that mix together, but they don't put any infrared leds in them because they are for movies and they don't put any UVB or proper UVA leds. But there are infrared, UVA & UVB LEDs that you could apply the same kind of engineering principle to make something that closely follows the sun spectra.
No, you can't buy them as bulbs. The closest thing is those red light therapy panels that include them.
There are efficiency standards and laws for large appliances.
This isn’t some kind of controversial subject. Ensuring home appliances don’t overconsume energy is beneficial for everyone in society.
You don’t want to have brownouts, blackouts, or run out of heating gas/oil in the winter.
You bring up the idea of regulating computer equipment power efficiency as if it’s crazy talk but it’s a real thing in concept. Governments do offer guidance and sometimes regulate computer efficiency. They have efficiency standards (e.g. Energy Star) as well as relying on industry standards (e.g. “80 Plus”).
Take a look at your computer monitor or TV box and it probably has an energy star logo somewhere if you live in the US.
The US federal government and other state and local agencies will not buy computer products that aren’t energy star compliant, and encourages businesses and individual to follow similar standards. Other countries might regulate further than these (dis)incentives.
And if you bring up data centers, those are considered productive industry that has its own regulations different than home regulations. Plenty of things legal in industrial series aren’t legal in your house.
High-powered computers are a niche issue, which means on a society level there's little benefit to restricting them.
Lightbulbs on the other hand affect all of society, so they've got a much larger impact to the overall CO2 budget.
Additionally, the average person uses a laptop or mobile devices, all of which use less power than even a single typical incandescent bulb (and people usually have many lightbulbs).
Replacing incandescent bulbs with LEDs saves a lot of CO2 at basically zero cost, while getting rid of computers saves less CO2 for a much larger economic impact.
And even the effect described by this article has to be looked at in context, considering most of the light people experience in a day — and have experienced for the since homo sapiens existed — is natural sunlight, even in northern Europe during the winter (that's why EU law mandates windows with sunlight in every office, apartment, bedroom, etc.)
Something I did a little while ago was read through most of Busybox vi's source code, and work out my own simple documentation page with most of its options.
It doesn't do visual mode but it does still work with registers etc.
CVT is not the same as "automatic transmission", but it is a subtype of automatic transmission, i.e. CVT is a kind of automatic transmission, but there are also other kinds of automatic transmissions, which are more frequently used.
"Automatic transmission" just means that you do not change gears manually, which is also true for CVT.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.
reply