They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.
This CVE is an 8.8 severity RCE in Notepad of all things.
Apparently, the “innovation” of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.
We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.


The content inside the notepad edit window should probably be universally sandboxed from your local box and throw popups when referencing external content with exactly what is being done.
They half assed the implementation.
To have something optimized they need to start from scratch with clean code
related:
Rolling out AI with the stated purpose of reducing technical debt is just fucking hilarious to me