The Google Project Zero researcher Tavis Ormandy announced the discovery of a code execution flaw in Microsoft’s Notepad text editor.
Ormandy reported the issue to Microsoft and will wait 90 days according to Google vulnerability policy disclosure before revealing technical details of the flaw.
Of course, Ormandy could also disclose the details of the vulnerability after Microsoft will release a security patch to address the issue.
Ormandy anticipated that the vulnerability is a memory corruption bug and he shared via Twitter an image that demonstrates how to manage a “pop a shell in Notepad.”
The image posted by Ormandy shows that the vulnerability has been exploited to launch a Command Prompt, the expert confirmed he has already developed a “real exploit” for the issue.
A message published by Chaouki Bekrar, founder of zero-day broker Zerodium, confirms that the type of issue found by the Google white hat hacker is not uncommon to find. The real surprise, according to Chaouki Bekrar, is to find an expert that report it to Microsoft instead of exploiting it or attempt to sell it.
(SecurityAffairs – Notepad, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.