Google's Project Zero hacks Windows Notepad to offer remote shell access

It seems Windows Notepad’s days of innocence is over, as Threatpost reports that Google’s Project Zero has managed to corrupt the app into an entry point for full system access.

Tavis Ormandy, from Google’s Project Zero managed to find a memory corruption flaw in Notepad which allows a specially malformed file to subvert the app into offering remote shell access – usually the first step to exfiltrating a system.

Am I the first person to pop a shell in notepad? ? ….believe it or not, It's a real bug! ? pic.twitter.com/t2wTh7E93p

— Tavis Ormandy (@taviso) May 28, 2019

The exact details of the bug have not been revealed yet, and Travis has informed Microsoft to allow them the usual 90 days to fix the issue before disclosure.

“All I can say it’s a serious security bug, and we’ve given Microsoft up to 90 days to address it (as we do with all the vulns we report). That’s all I can share,” he wrote in a tweet dialogue on Friday.

Threatposts notes the hack is impressive.

“Notepad is exposing so little of an attack surface it’s notable that it is still enough to give an attacker the ability to run arbitrary code,” said Dan Kaminsky, chief scientist and founder at White Ops. “That’s not to say that given the little amount of what Notepad does there isn’t room for something to go wrong.”

Most researchers, however, downplay the significance of the hack, noting that hackers will need to get targets to open files in Notepad first. This is unlikely to happen by default, except for the deprecated IE11.

“But today, post IE mitigations, there is no way to launch Notepad on a system unless you’re sitting at the computer,” Kaminsky said.

We note however that the top most-frequently used app in most developer’s computers is often Notepad, largely because it seemed the safest way to open unknown files. It appears those days may be over, at least for now.