- A Google researcher has discovered a way to exploit Notepad remotely.
- The researcher claims that his method is perfectly doable but can’t reveal anything before it’s been fixed.
- Other researchers believe that a truly feasible remote exploitation of Notepad is impossible.
According to the findings of a Google Project Zero researcher, Tavis Ormandy, it is possible to exploit a previously undiscovered memory corruption bug in Microsoft Notepad to open remote shell access. This could be leveraged by attackers who want to achieve a first contact and point of infiltration on a target system. The researcher has revealed the fact of the bug discovery but hasn’t shared any technical details about it as Microsoft is currently working on fixing it. If the tech giant fails to address the bug in three months from now, the researcher will fully disclose it.
Am I the first person to pop a shell in notepad? 🤣 ….believe it or not, It's a real bug! 🐞 pic.twitter.com/t2wTh7E93p
— Tavis Ormandy (@taviso) May 28, 2019
What he did share is that the flaw is really severe, meaning that it can lead to serious problems. As Notepad is the Microsoft Windows default text editor since 1983, almost all computers out there have it, and so the possible exploitation potential is very high. Fortunately, malicious hackers don’t know what the vulnerability is exactly, but the speculation on social media platforms has already started. After all, and as other researchers point out, Notepad is exposing so little of an attack surface that finding a severe bug that allows a remote shell connection is pretty crazy.
Some researchers believe that no matter what the severity of the Notepad bug is, the main problem for the attackers would be to launch Notepad and have it parse a file. While this was possible to do in the past through the manipulation of an Internet Explorer 11 vulnerability, it is now considered next to impossible as all of the relevant flaws have been plugged. So, the Notepad memory corruption bug may be there, and it may be hazardous, but one would have to sit on the target computer and launch the text editing application, so there can’t really be a successful method of remote exploitation.
More security specialists add that the ASLR (Address Space Layout Randomization) which prevents the exploitation of memory corruption vulnerabilities would be an insurmountable problem for an attacker to surpass. Getting around the CFG (Control Flow Guard) exploit mitigation would also be a hard feat to achieve in the context of exploiting the particular bug. Ormandy accepted the considerations of his colleagues but insists that he has managed to find a path to remote exploitation based on the memory corruption bug. Whatever the case is, this has created a unique kind of anticipation in the world of cyber-security, and until Microsoft fixes the flaw, we will have to wait for the proof-of-concept code to emerge.