Tavis Ormandy, a security researcher for Google’s Project Zero division, announced the discovery of a code bug in Notepad, Microsoft’s popular text editor. The problem was privately conveyed to Microsoft, and it was made public after 90 days. No additional information is currently available, because Microsoft has not solved the problem yet. According to sources the company is not yet released a patch to fix the problem.
The flaw relies on a memory corruption bug in the application. The security researcher has demonstrated how to pop up a command shell by using the Notepad application alone. The good news about this particular threat is that the bug was privately disclosed to Microsoft allowing the company to make a patch in due time and prevent any abuse by criminal collectives. Well, to this date, no information is available about any hacking attempts that have facilitated with this particular bug.
Ormandy reveals that he had speculated that the vulnerability was a memory corruption error. He even shared an image and showed how to start a command prompt. The expert confirmed that he has already developed an exploit for the problem.
Chaouki Bekrar, the founder of the zero-day broker Zerodium, said that such a problem discovered by the Google White Hat hijacker was not unusual. He said that it was not the only vulnerability that could be used with the “pwn” notepad.