They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.
Yeah I get your thought process, but the second vulnerability is actually just how Windows is designed to work. When Notepad follows a link, it isn’t opening a web page, it’s passing a command directly to the OS shell.
Because Notepad is a trusted native application, it bypasses many of the security checks that a browser has.
If the link uses the file:// protocol to point to an .exe on a remote server, or ms-appinstaller to trigger an install, the OS treats that as a direct instruction to launch that software, so it can trigger an app installation prompt or, depending on the exploit, silently side-load malicious packages.