Travis Ormandy of Google Project Zero published a tweet pointing to a bug in Notepad, Microsoft’s basic text editing application for Windows 10. “Am I the first person to pop a shell in notepad?” Ormandy asked in the tweet. “This is a real memory corruption exploit, I’ve reported it to MSRC (Microsoft Security Response Center). Surprising number of people replied thinking I was just right clicking stuff…. I said, ‘it’s a real bug’ It took me all weekend to find good CFG (Control Flow Guard) gadgets, just showing off.” What’s interesting about this situation is Ormandy has gone public with the bug. Google Project Zero typically informs software vendors of vulnerabilities privately. Those vendors then have 90 days to issue a fix for the problem. If the 90 days passes, Project Zero discloses the flaw publicly.
— Tavis Ormandy (@taviso) May 28, 2019 While Ormandy says more details of the bug will be released in 90 days, Microsoft has been told about it through Twitter. Redmond has often criticized Project Zero, saying Google should work with companies to solve problems instead of putting them under an imposed deadline. “All I can say it’s a serious security bug, and we’ve given Microsoft up to 90 days to address it (as we do with all the vulns we report). That’s all I can share,” Ormandy wrote.
Unique Flaw
Speaking to ThreatPost, Dan Kaminsky, chief scientists of White Ops says the fact this flaw even exists is remarkable considering the limitations of Notepad. “Notepad is exposing so little of an attack surface it’s notable that it is still enough to give an attacker the ability to run arbitrary code. That’s not to say that given the little amount of what Notepad does there isn’t room for something to go wrong.” “Is this a benign thing? Or is this a real threat? Well, you have to ask yourself can an attacker cause Notepad to be launched, and to cause it to parse one of these files. Because if you can’t get to a specific application, it doesn’t matter if there’s a bug there,” Kaminsky said.