Memory Corruption Zero-Day Bug Found In Windows Notepad App

Updated July 18th, 2019

Security researcher Tavis Ormandy, who is a part of the Google Project Zero team, has already unearthed some serious bugs and threats in the past. This time, he found a new zero-day vulnerability in the Notepad app which affects users of the Windows operating system.

The zero-day exploit can be used to open a Windows CMD window from within the Notepad app. Ormandy explains that this is clearly a  exploit because the attacker can’t correctly click dialogs, which means it’s not a security bug.

“This is a real bug,” he said in multiple tweets as some people believed he was just playing around and right-clicking stuff.

Am I the first person to pop a shell in notepad? ? ….believe it or not, It’s a real bug! ? pic.twitter.com/t2wTh7E93p

— Tavis Ormandy (@taviso) May 28, 2019

No, this is a real memory corruption exploit, I’ve reported it to MSRC. Surprising number of people replied thinking I was just right clicking stuff…. I said “it’s a real bug” ? It took me all weekend to find good CFG gadgets, just showing off ?

— Tavis Ormandy (@taviso) May 28, 2019

As I said, “this is a real bug”, It’s a real memory corruption exploit. Clearly an attacker cannot right click dialogs, so that is not a security bug.

— Tavis Ormandy (@taviso) May 28, 2019

Soon, some started to figure out a name for the exploit. As far as Ormandy is concerned, he is informally calling it “Notebad.”

Microsoft has already been notified about the zero-day exploit bug. No further details have been provided in the tweet, including which Windows versions have been affected. That’s because Google’s Project team has given a 90-day non-disclosure deadline to Microsoft so that the company can work on a security patch.

However, Ormandy said that he has managed to create a remote code execution exploit using the bug. He plans to publish the exploits and the details of the Notepad zero-day bug in a blog post as soon as Microsoft releases a patch for the same or the deadline ends. The bug will also be fully documented on a publically available bug tracker.