Do we want to get to the main topic?

This Yes.

>> main topic. 40 minutes in. Yeah.

>> Uh anyways, sorry. Today on the standup,

we are going to have Casey Miratory give

us the lowdown on Notepad and Notepad++.

If you are not familiar, there has been

some big news in both of the old pads.

And so, Casey, why don't you take this?

>> I mean, big big news might be saying a

little bit much. They both had security

exploits is really what was kind of

weird. And the reason normally we

probably wouldn't be talking about it if

it weren't for the fact that it's kind

of just getting absurd now that like

both of the Notepad apps for Windows

both had security exploits in like the

last 12 months. Uh which is just kind of

a little bit weird and you're just like

how are how have we gotten to the place

where like the text editor is regularly

having security exploits.

So, I'll start with regular Notepad,

which is just the one that comes bundled

with Windows. That's the one that you're

probably most likely to use because it

comes directly from Microsoft and you

don't have to have installed it. It's

just going to be there, right?

So, this one's kind of nuts. And

actually, I'm I'm sort of glad that I

read up on this one because I didn't

actually know this fact about Windows. I

maybe could have guessed it had I

thought really hard, but I might not

have because I might have been like,

"Well, surely no one would do that." Um,

>> you underestimate Microsoft, my friend.

>> And I was like, "Okay, I guess uh yeah,

lesson learned." So anyway,

so what happens is, uh, in Notepad, in

normal Notepad now, they've sort of

started adding features, which is

exactly what you don't want someone to

do to a Notepad, right? Like the whole

point of Notepad is it's just this like

really crappy text editor and you can

kind of breathe a sigh of relief when

you fire it up because it's just not

going to do anything, right? So you kind

of would have hoped that like, oh, if

I'm going to open this file, nothing

could possibly go wrong because it's

Notepad. It doesn't have anything in it.

Can't do anything. It's fine. But

they've been steadily adding features to

Notepad. So now that's not true anymore,

right? It's got co-pilot integration and

all this other stuff. Now

>> that's what I need.

>> Yeah. So now if you open up Notepad,

it's like anything goes. It's just like

opening up Microsoft Word or something,

who knows how much security uh snafoods

could be hiding. So, one of the things

that they did is if you open a markdown

file in Notepad, now normally you'd

think, well, it's just notepad, so if I

open a markdown file, it's going to show

it as a text file. But no, it will

actually do the markdown parsing in

Notepad, I guess. And now, I have never

noticed this myself. I've never used

Notepad to open a markdown. I didn't

even know it did that.

>> Same. Apparently it does, right? And one

of the things that it does when it

parses the markerdown file is that it

properly obeys that like parentheses

bracket syntax for linking where you can

basically put in like here's a URL of

some kind and here's the display text

that I want for it. It will actually do

that conversion and properly display

that in the notepad so that you can kind

of just click on links and they will,

you know, it'll take you to the links.

Now, here is where the problem begins.

The way that they shipped this feature

is like

mo

>> Oh my god.

>> So,

>> Casey, are you okay? Do we need to like

do we have do we need like a personal

chat right now?

>> Yeah. Here, Casey, I can make you feel a

lot better. I actually do have a copy of

uh the secure notepad. It's right here.

I got it right here. This is This is

super secure. I've got

>> Yeah, you could you could have fit secur

one online.

>> No mistakes.

>> No mistakes. Anyways, go ahead.

>> Hey, is that HTTP? Get that out of here.

That's not how we order coffee. We order

coffee via ssh terminal.shop. Yeah, you

want a real experience. You want real

coffee? You want awesome subscriptions

so you never have to remember again? Oh,

you want exclusive blends with exclusive

coffee and exclusive content? Then check

out Kron. You don't know what SSH is?

Well, maybe the coffee is not for you.

>> So, the way that they they shipped this

feature, uh, anyone that mo this will be

lost on most of you, but anyone who's

been like a longtime Windows programmer,

they will be they will just they won't

they'll have the face that I just had on

my face. They will have that on their

face, too.

So the way that they shipped this

feature was they do the markdown parsing

as you would expect and they produce the

like URL. They they produce the like

string the display string like you would

in markdown and they take whatever the

URL would have been and they save just

that raw string. Basically they just

keep that.

When the user clicks on the link,

literally they call shell execute exw

and just pass that through.

>> Oh man. Hey Gabby,

>> how's that even pass? Like is it like

security audits when they like do this

stuff?

>> I don't believe it.

>> Yes.

>> And it's hidden, right? You can't see

what it is because it's it's hidden

under

>> Yeah. I mean it's not going to tell you

what it it's just going to pass it to

shell execute just that's it right so

it's just like they fill out you can

actually go see uh the people have

decompiled the code so they you can

actually go see it's like yep it fills

out the shell x uh w like inferstruct it

sets the command to open and just just

blam the string is just there's the

string like have a party open right

>> wow

>> so basically what this means is that

anybody who, you know, was unaware

because like normally you wouldn't think

that's what it would do. Like normally

you'd be like, "Oh, this is going to go

to a web like this will go to a web

browser and the web browser will

interpret the URL. So how risky could it

possibly be? It's no different than if I

was just clicking a link on a website,

right?" No, you can literally put

anything you want in there like file

slash the path to something you want to

run and it will just run with your

permissions on your machine right there.

No web browser necessary, right? I tried

I'm trying in my head to come up with a

reason why that happened and like I

can't even come up with one.

>> Well, I'm trying to come up with how it

was allowed to happen. That's the

>> So So that's just in there, right? And

the only real saving grace here. So like

that's really bad. Like that just should

never I mean that's not

there's people there's apologists who

like replied to the tweet that I made

about this who were like well I mean the

user clicked on the link. I'm like no no

no I don't think you understand the user

clicked on the link is true for every

security exploit that's ever occurred.

Like every security exploit somebody at

some point installed something even if

it's the operating system. And you can't

be like, "Well, they installed an

operating system on the computer, so

it's their fault that eventually it got

hacked." Like, no.

>> They clicked accept on the terms and

conditions, so therefore.

>> Yes. Like the user is if the user clicks

on a link, it's the program's

responsibility to ensure that it's going

to just open the link in a web browser,

not oh, that could just be crap that

runs on your machine. Now,

>> can I can I ask a follow?

>> That's not on the table, right? Yeah. So

shell execute when it gets handed a URL

that is a properly formatted HTTPS thing

will just launch a browser. It had I

didn't even that's kind of crazy. I I

guess I never really realized that you

could just

>> protocol you so shell so so shell

execute um

>> I don't know shell execute. I've never

tried this method. It just seems

interesting to me that you can just be

like here's https you know what to do

and it's just like

>> yeah actually this is so so you could

think of it as that is the job of open

so so when you do shell execute you can

basically pass there these things called

verbs right

>> is x open the same

>> sorry

>> sorry keep going I'm just trying a xdg

xdg open

>> yes

>> um and the idea is this is you know it

it makes sense and when it was created

you know shell execute uh the first time

I remember it was in win 95. Uh so it's

it's been around like a very long time

but the yeah uh but the ide

>> yeah uh so the idea behind shell execute

is very simple it's that protocol

handlers like people who know how to do

something they can register those with

the shell and the shell can go oh you

know I you know someone called open and

they gave me a PDF file who are the

people who are currently registered to

handle PDF files Okay, let's open one of

those and hand them this thing. So, it

literally like this is its job. Its job

is to take something like a URL and

decode it into saying, "Oh, that I know

how to open one of those. Here's a

program on the machine that can do that

for me." So, shell execute is operating

as intended. Now, obviously, this is a

huge security hole, which is one of the

reasons you generally don't want a

program to just be calling shell execute

on stuff if the user is unfamiliar with

it. Typically, like if you're going to

call shell execute, you probably want to

do a bunch of like hardening of that

path to make sure that you've parsed the

string yourself and know that it's not

something confusing. Right now,

obviously this has been a security

exploit topic before because

and now we'll get to the really cool

stuff.

So, prior to 2024,

one of the things that shell execute did

know how to handle was installer apps.

So MSIs, that just runs and

installs crap to your machine, right? So

you could with this exploit, you could

do ms-app install colon some remote file

and it will download and run it. Now

thankfully in 2024, Microsoft just

removed that feature.

>> 2024

>> 2020 Well, you know, better late than

never, Ted.

>> Yeah. Yeah, that's okay.

>> Yeah. So

>> Wow. So now what will actually happen if

you wanted to do the maximal version of

this notepad exploit is thankfully

Microsoft's other you know people who

removed that will stop that from

happening. You'll get a box that pops up

that says hey uh I can no longer

autoinstall things. Please notify

whoever it was that distributed the

software that they have to update their

installation link. Like yes good very

very good job. Um that was good. Right.

And so that actually stopped this

exploit from being potentially a lot

worse than it was. Now

>> question one quick question. Can you

just do like a like a curl,

you know, some I don't know what they

call uh DOSS scripts. I I'm just going

to call bash for, you know, some remote

script and then pass it into bash,

whatever the equivalent of that. Can can

you just shell execute that? Can you

just shell execute a curl?

Uh, so you as far as I know, and I guess

I haven't thought about it too hard, but

as far as I know, with with a single

click, meaning all you're going to do is

click on one of those one of those

markdown parsed links, and it's going to

pass something to shell execute.

The thing that it's going to do has to

be resident on your machine. So, it

would have to be like file something on

your machine and it would run that.

>> Okay? But it can't with because they

closed that MS-app install. So, so a

practical exploit for this exploit would

have had to look like, hey, um, here's

the GitHub for our document collection.

No executables or anything, right? And

you download it, but it does secretly

have an executable in it, but you're

never going to click on that because

it's some buried in some subdirectory

you'll never see or whatever, right?

Yep. then the main page which is like

hey table of contents with a link you

click on that and it's got a file link

to that executable and it runs it and

then you're done you're toast right

because that's going to run that

executable with your permissions right

away um so but without that MS app

install because that loophole is closed

now for shell execute I don't think

there was a way to have oneclick both

download and run a program I could be

wrong about that though but I don't

think with a single shell execute it can

do that it had to be something already

read. So, it could either go get a file

from the internet like by opening a web

browser with one click or it could run a

file already on your computer. But, I

don't think it can do both together. I

don't think uh people can correct me if

I'm wrong about that though because I

mean I'm not the person who reverse

engineered this exploit. So, I don't

know. I'm just going by what uh security

researchers uh put up there and making

my best guess. Uh but I did test it

myself though. I went and ran I made my

own little shell execute thing uh to see

what happens if I did an MSM app install

and I did verify that that is now

blocked at least on my whatever my

current version of Windows is that was

running on this machine I'm talking to

you via right now uh it it does in fact

block those. So that's cool. Now I don't

think unlike the exploit we're going to

talk about next, I don't think this one

was ever exploited in the wild because

Microsoft found it. So they shift it and

then some security audit or somebody who

was going through the code or some

research team that found it send it send

it to them might have been what

happened. I don't know. Uh because there

were reverse engineerings of it online.

So it might have been that one of those

reverse engineering people actually were

the people who reported it right. I

don't I didn't look to see who was the

if there somebody got a bug bounty for

it or whatever. I had Canon is it's that

somebody was really mad that Microsoft

is shipping updates to Notepad

internally and they're like I'm gonna

show that you guys should stop updating

this cuz I know for sure that you guys

that's what I think in my head. I'm

thinking some guy inside is LIKE STOP

UPDATING THIS. I'VE BEEN TELLING YOU WE

JUST NEED AN ERROR.

>> YEP. The security like someone on one of

their hardcore security teams was like

they did what to notepad. All right, I'm

going to go look at that. And it was

like what did you do?

>> Yeah.

from engineering's on that team. I know

he left a shell exploit in here

somewhere.

>> Yeah. Yeah. Yeah.

>> Like the entire security audit is just

like Gp shell exec xw. It's like bam bam

bam bam bam bam bam. They're like oh no.

Yeah. Uh so that was that was the one

that shipped with Windows. And

fortunately, again, as far as I'm aware,

uh, this was found by either security

researchers inside or outside of

Microsoft prior to anyone getting

severely compromised by it. So, it

didn't end up being an issue, I don't

think. That's my understanding anyway.

Not so for Notepad++, unfortunately.

Notepad++,

which I use, by the way, and have now

uninstalled from my machines because I'm

now terrified

um of even using a text editor anymore,

which is terrifying. It's like I'm

having a hard time emotionally thinking

of whatever teams in charge of

Notepad++, which hasn't changed from

Windows 95 all the way up until just

like two years ago. whatever team that

was that was in charge of it has started

putting so many features into it

including AI and I don't think they're

ready for all the possible exploits.

Like I just don't think they're ready

for it and they don't know what they're

doing out there.

>> No.

Notepad++ on the other hand, uh this one

is very scary. Uh the Notepad one that I

just said is more of like a face palm

kind of thing. It's like guys don't sh

don't like we don't need to add shell

execute to like just don't put shell

execute in Notepad ever. like it doesn't

need that, right? Um but uh yeah, so the

problem is with Notepad++, this is a

different story. Notepad++ is actually

like a very sophisticated attacking

individuals. That's why this one's so

scary.

>> Oh, cool. And by cool, I mean

terrifying, but also cool story.

>> Yeah.

>> Okay.

So, and I would preface that Notepad++

is like it's, you know, it's a something

developed by just some folks, right?

Like it's not a commercial package. It's

really not their responsibility to

secure it. So, at some level, it's not

that, you know, it's not like it's some

somebody's fault for doing a bad job

because it's like, well, they you you

know, you they aren't even getting paid

to do this thing, right? Like so it's

like they're not necessarily supposed to

employ a security team or anything else,

right? But it just goes to show you that

like well if you're just using some open

source software or whatever it is, it's

like actually you might just want to be

really scared about that because who the

heck knows at this point. What happened

with Notepad++ is as follows.

They unfortunately made the decision,

which I just wish people would just stop

doing. They unfortunately made the

decision quite some time ago to have the

thing have a auto autoupdate feature.

Now thankfully it's not the kind of

feature that's like you know Chrome or

whatever where it just silently updates

the binary like if you know if you have

the automatically keep updated checkbox

checked or something it just updates

your binary whenever there's a new one

or something like that. Thankfully they

did not do that. But what they did do is

they made a thing called the wind g or

wind g up or something like that which

they basically made their own little

update uh program their own little

update sort of uh codebase and they

actually share it. So you can use this,

you know, this is something that other

people could use as well. And it's just

an updator that checks a website, gets

an XML, a little XML like uh payload

that says like what the latest, you

know, um download is so that can compare

against itself. And if it's newer, it

pops up a dialogue box basically that

says like, "Hey, there's a new version

of, in this case, Notepad++ or whatever

the Windg is running on. There's a new

version. Would you like to download it

now?" Right? And you can click yes if

you want it or no if you don't.

Thankfully, because I hate software

updates, for the past four years, I have

always clicked no.

Other people who probably were also

advised that they should keep their

software up to date for security

reasons, which is always a mixed like

the thing they don't tell you is the

easiest way to get security exploits is

to not update your software. And the

easiest way to get security exploits is

to update your software. So, yep. Right.

>> Um, so like you're damned if you do,

damned if you don't. And this is a great

example of that. So,

>> probably going like, "Oh, I should make

sure I'm up to date on my Notepad++."

Clicked yes. So, this particular updater

at the time didn't have any kind of

cryptographic integrity check. So, for

those of you who maybe aren't familiar

with this kind of process, when you are

going to update a binary, typically what

you want to do is you want to make sure

that the binary that you're updating to

actually is the binary that you think it

is. So, for example, if I install

Notepad++ on my machine, in a in an

ideal world, what would happen is I only

have to trust the first time I got

Notepad++. Now, obviously, if the first

time I get Notepad++, it's a hacked

version of it. I'm screwed. So maybe

don't download the first version from

the pirate bay or whatever, right? But

once I have it installed, what I would

like is for that program to have what we

would traditionally call like a public

key that you know, every copy of

Notepad++ just has the same key. when it

wants to download a new version of

itself, when it downloads that

executable, it can check to see if that

executable is signed in some way so that

the binary itself actually matches

when you do a signature check matches

the public key that we have and only the

people who can who produce the binary

have the private key. So no one else can

do it without actually hacking like the

you know extracting the p private key

from this you know who wherever the

build from it and and that can happen

too at which case all bets are off but

at least now we know uh someone can't

just you know hijack it and the reason

that this is important is because if you

think about when something goes to

autoupdate it's just connecting to the

internet to get that update if it's you

know gets maninthem like somebody's

sitting there and can intercept the

traffic it can just go, "Oh, he's trying

to download a new Notepad++. I've got a

great Notepad++ for him." And gives the

you you know the the modified executable

that has all the security exploits in

it, right? So anyway, this particular uh

version of Notepad uh I guess prior to

2025, they just didn't have any kind of

verification. So they didn't verify the

XML package and they also that you know

came to say you know where you should

get the new version from and they also

didn't verify any executables that they

that you would have downloaded as a

consequence for that. So, this was just

an insecure process. And again, this is

a there's a standard CVE for this. If

you actually go uh not CV, there's a

standard what what do they call it? I

don't know if you've ever if you ever

read I'm not a security researcher. If

you've ever read those CVEes, which are

basically like the thing that details

what the exploit was from the MITER

Corporation keeps this them in a giant

list, right? Um there's part of the

thing that details the exploit. There's

like codes that they have for what kind

of exploit it was. So there like this is

just a standard kind. It's did not

validate an update binary. That's like

it's just that's just like a standard

thing, right? Because it this has

happened before.

So anyway, so that's the basic idea of

what's about to happen. And the so that

part while scary because it's like well

that's not great. The scarier part is

how they went about exploiting this

because a normal kind of exploit is a

lot less scary than the kind that they

carried out here. So what they chose to

do what the what the attackers chose to

do with it and they are believed to be

state sponsored because of the level of

sophistication

is they decided look if we start

randomly exploiting all of these you

know this back door to to notepad you

know that's going to get detected

quickly. So instead what we'll do is

we'll pick highv value targets whose

machines we were trying to compromise

and we will see if any like of those IP

addresses connect to update notepad++

we'll man in the middle it because we

figured out how to hack the web like we

hacked the like the web provider or

someone in between the web provider I

don't remember the specifics are

actually uh not as well documented as I

would have the specifics of the hack are

very well documented the specifics of

exactly what the man in the middle part

looked like we're not we man in the

middle that we're just going to wait

we're going to pass everything through

so it looks like notepad++ is updating

normally for everyone else but when we

see a high value IP comes in then we'll

slip them the mickey right then that and

only that cup of coke gets the roofy

right so what they then do is they serve

just the highv value targets an updated

Notepad++ ++

that has

and I loved I loved this. It was I don't

know if if hackers do these things to be

funny because you know I I I've never

really known like a real black hat

hacker I guess but I know some people

who are kind of like maybe adjacent to

that and they do like inside jokes uh in

that way so I don't know. So what it

does is it includes

a legitimate

copy of Bit Defender of some executable

from Bit Defender a legitimate one

that they have replaced some of the DLS

that it loads. So they use an executable

that is signed but that loads an

external DL so that they won't get

security checked on that and they

replace just the DLL it loads with the

DLL that does the security exploit that

they need right so I'm like okay so they

give you this package and effectively

what happens is Notepad++ will update

itself with the bad version that you

sent it doesn't check it just starts

running that you think you're running

Notepad++ but Actually, you're running

this uh copy of Bit Defender, which

they've actually renamed to Bluetooth

service. So, you're running a thing

called Bluetooth service, which yes,

you're running this extra thing called

Bluetooth service that's actually a copy

of Bit Defender that's that's intact.

They haven't changed that at all, but

they replace some of the DLS that it

would have loaded with ones that have

their exploit payload. And off we go.

So, this thing was like pretty hard to

find apparently. I'm not sure how the

security researchers actually ended up

doing it. You could see uh you can go

read rapid 7 has like their full

breakdown of like how they went about

finding it and it's like they had to

find it on just there was a small number

of machines that were having this happen

and they had to dig into it I guess

because again like very few people had

it so it's kind of like hair pulling of

like wait what's going on and eventually

they were able to track it back to the

fact that it was notepad even though

most people's notepad installs were not

compromised right so at the end of the

day. This is kind of terrifying because

it's like, holy cow. Like, I mean, I'm

not a highv value target, so I guess I

don't really have to worry too much

about that kind of thing. But it's crazy

just how intentional these things are. I

didn't quite realize like how specific

they might be. And my guess is we have

not found most of these, right? Like

like this is not the only time they've

done something like this, I'm sure.

And what are the chances that we've

actually detected most of them?

>> That's interesting that they're able to

man in the middle so thoroughly like

that. That's what I'm like most curious

about is how how could you like what

kind of access do you need to have or

what have you hacked to be able to do

that? just the web provider that

happened to be running um the the little

windy update other end or whatever it is

or not or the not the other end the um

where the file the the web provider

basically

>> whatever they were hosting the notepad

>> they just had to hack the host that's it

yeah

>> that's crazy and then they would just

they would selectively pick which one is

wild

>> yeah well that's the thing is like yeah

like I feel like that's what makes it so

insidious is because normally Like if

somebody hacks a web host provider or

hacks some website, a bunch of people

will get screwed but will know like that

day, right? Because all hell breaks

loose and like and security research are

seeing weird files like they're

monitoring all this stuff, right?

>> Yeah.

>> Whereas this they don't see anything

>> because they're not a high value target.

>> Well, they're presumably they know they

try to figure out where all of those

collection spaces are and intentionally

would never serve it to one of those.

Right. The hard part is finding someone

highprofile using nlad.

>> Dang it. YOU TOOK MY JOKE TRASH. THAT'S

WHAT I WAS GOING TO ASK IS THERE SUCH

THING AS A HIGH VALUE TARGET USING

>> NO.

>> SORRY BUDDY. I said it already. Sorry

prime. I said it already. Sorry.

>> I said can I ask the question?

>> THAT'S WHY I SLIPPED IT IN THERE. I WAS

LIKE, I GOT TO get this in before

somebody else says it.

>> Trash. That's genius. Thanks a lot.

Thanks a lot. No, I really appreciate

that. Makes me feel great about myself.

I use it because I have to I make the

materials. I I want people to be able to

use a a text editor that they're

familiar with that they can just get for

free on Windows. Okay. You know, I'm not

proud of it.

>> They're handing out Notepad++ for free

for sure now. They're like, "Guys, Casey

Casey, how does it make you feel?"

>> Not great.

>> That when they attacked highv value

targets, you weren't included. Like,

what's like what what went through your

mind that day?

>> Up and up, guys.

>> We don't know that they didn't try.

Casey's been clicking no. That's say I

was just going to say I'm sure I was

tops on the list prime tops on that list

and I just didn't hit update. They they

were probably furious

>> that they couldn't get access to my

machine with this hack. Probably the

whole reason they did it and the other

targets were just like to you know

they're like well we could since we

didn't get Casey we'll get a couple

we'll get you know NORAD or whatever.

You know

>> there's like a cinematic scene that has

Casey's face on a dart board. A guy just

smoking cigars just throwing darts at

Casey's face.

>> Yeah. I mean, that's a chance why they

kept the exploit open. They were just

waiting for Casey to hit the update.

They were going, going, going. I don't

know, man. We got to we got to get

something back to the boss, even though

we're really here to get Casey. They're

like, "All we got was Bill." And it was

like, "No big deal."

>> Bill from it.

>> Yeah.

>> The first guy doesn't play Mind Sweeper

ever, and now he doesn't update his

notepad. How are WE GOING TO HACK this

guy?

>> We've tried leaving USBs on the

sidewalk. He doesn't put those in his

computer. We're screwed.

>> He's not even clicking markdown links in

Notepad. He's some kind of freak.

>> What the hell? Everyone clicks markdown

links. That's why they're there.

>> Especially in Notepad,

>> specifically in the world's most

markdown friendly editor that everyone

knows about, Notepad.

>> Yeah. Well, now that it has C-Pilot, I

do kind of think it is the best place to

work with Markdown documents. Prime.

>> I do like the idea of someone at

Microsoft coming out and going, "Well,

the we have some good news and bad

news." The bad news is that the markdown

parsing in notepad was attacked with a

pretty significant security exploit. The

good news is since nobody knew that

notepad parsed markdown to begin with,

no one was opening markdown files and so

we avoided any actual security.

>> We like to call that at here at the big

kind of shops like we operate at

Microsoft. We like to call that Swiss

cheese security. And so we're really

confident we've got so many layers of

abstraction nobody's going to be able to

exploit our software. Good news. Copilot

has had no security exploits because

nobody uses it. And we will continue

this nobody uses C-pilot so it can't get

exploited strategy. Hey guys, if you

like this episode, you can watch the

rest of it on the Spotify. And don't

forget to like and subscribe. Woo! See

you later.

>> Boot up

five errors on my screen.

Terminal coffee

and

living the dream.