Google white hat hacker found code execution flaw in Notepad

The popular white hat hacker Tavis Ormandy has announced the discovery of a code execution vulnerability in Microsoft’s Notepad text editor.

The Google Project Zero researcher Tavis Ormandy announced the discovery of a code execution flaw in Microsoft’s Notepad text editor.

Ormandy reported the issue to Microsoft and will wait 90 days according to Google vulnerability policy disclosure before revealing technical details of the flaw.

Of course, Ormandy could also disclose the details of the vulnerability after Microsoft will release a security patch to address the issue.

Ormandy anticipated that the vulnerability is a memory corruption bug and he shared via Twitter an image that demonstrates how to manage a “pop a shell in Notepad.”

The image posted by Ormandy shows that the vulnerability has been exploited to launch a Command Prompt, the expert confirmed he has already developed a “real exploit” for the issue.

A message published by Chaouki Bekrar, founder of zero-day broker Zerodium, confirms that the type of issue found by the Google white hat hacker is not uncommon to find. The real surprise, according to Chaouki Bekrar, is to find an expert that report it to Microsoft instead of exploiting it or attempt to sell it.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Notepad, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]