You’d think that Notepad, the basic software that it is, is among the most innocuous among Windows’ most popular apps. And yet this simple program can be used to take complete control of a Windows PC.
To be fair, Notepad itself isn’t the problem as far as security is concerned. According to Tavis Ormandy, a security researcher from Google Project Zero, the issue lies with a component in Windows’ Text Services Framework, which manages keyboard layouts and text input. Specifically, the component known as CTextFramework (CTF), which dates back all the way to the days of Windows XP.
Ormandy says that CTF is full of flaws which can be exploited through applications that rely on it to display text on screen. As such, Ormandy demonstrated the process of doing so with the humble Notepad, gaining System-level privileges. Granted, this kind of hacking requires the hacker to have physical access to your Windows PC.
According to Ormandy, there are plenty of legacy bugs like this one that go unnoticed for years. For what it’s worth, this particular flaw is officially designated CVE-2019-1162, and has since been patched by Microsoft.