20260211 https://news.ycombinator.com/item?id=46971516 Windows Notepad App Remote Code Execution Vulnerability (804 points, 516 comments)
20260210 https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
> "An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad"
Other recent Notepad issues:
20260207 https://news.ycombinator.com/item?id=46927098 Microsoft account bugs locked me out of Notepad – Are thin clients ruining PCs? (187 points, 284 comments)
20260127 https://news.ycombinator.com/item?id=46780451 Windows 11 January Update Breaks Notepad (60 points, 25 comments)
I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
Notepad is supposed to be a bare bones editor -- where you go when everything else fails. The VI of Windows. If they want a rich editor, they should bring back WordPad.
Notepad's got Markdown, it's what LLMs crave.
Can someone please explain why these two things are ever simultaneously true? You buy the stupid Copilot+ PC that has "AI" NPU hardware, right? So the AI features should be able to run locally. But if you have to sign in with a Microsoft account, then surely, it doesn't run locally, which begs the question, why does it require a Copilot+ PC at all?
Not even going to bother asking "does anybody want this to begin with" because at this point there is no real need to bother asking that.
My two favourite 'AI' tools in image editing have been ones that can replace tedious work.
One such example are segmentation models that can be used for smart cutouts, removing backgrounds etc.
Now we have both 'segmentation' and 'AI' in paint - but the segmentation uses the exact same shitty flood fill with tolerance that's probably existed in the first paint program at Xerox PARC, while the 'AI' feature is another by-the-numbers crappy stable diffusion model that's strictly worse than anything you could get with your first Google search.
(I found an odd one: for some reason I can't log into my PC with my MS account, which let me create the local account I actually wanted. System broken in my favor.)
Everything MS is doing in Windows is to this end.
They got to like step 3 of their 10 step master plan and gave up and have been lingering there.
Microsoft has been a walking husk of a company for the past decade and a half that somehow inexplicably stumbled into a trillion dollar valuation.
Its is Micro$oft after all :P
The reason we're getting this AI gumbo is that obviously the product people at M$ we're told: "Make money by selling AI features!!!". Which flipped their minds from their usual "I am Steve Jobs" fantasies, which tell them to _consider the User experience first_, to _Consider the companie$ experience first_, and they can't keep the two concepts in their little heads at the same time because they are, after all, just product people.
The there was a brief moment where it became decent. Still a barebones text editor, but it could actually edit text, what I think most people expected Notepad to be.
And now, it is going the other way, with "AI" features no one wanted, and also "Markdown support" which is ironic since Markdown is designed to look good in a regular text editor. Now we have something that isn't really a text editor, but not really a wysiwyg editor either, it has some advanced features like AI, but is lacking features most other semi-advanced text editors have (ex: syntax highlighting).
At least, it was good for a couple of years.
Isn’t it boring when a piece of software is just complete? In fact that’s an unacceptable state for it!
step 2: omg there's demand for features
step 3: turn notepad, whose point was to be a dumb simple thing, into a wordpad
step 4: get a raise because you "solved" the problem
Step 6: GOTO 1.
I’m willing to bet that adding markdown to Notepad was a lot simpler than trying to make it work in Wordpad, especially since you’d probably still have to support rich text.
The RichEdit control handles parsing RTF (I believe there was a CVE-level bug about RTF-handling in RichEdit - ahh - here we go https://www.kb.cert.org/vuls/id/368132/), the programmer/app is insulated from grokking RTF.
Here's sample code for opening an RTF file - https://learn.microsoft.com/en-us/windows/win32/controls/use...
Adding realtime conversion of text-only Markdown to the processed-richtext Markdown is slightly more difficult than an instant message-type edit control converting a text :) to a unicode emoji character representing :)
You'd have some bookkeeping to remember which lines are markdown and which are plain text. But it's not rocket science.
Imagine Win11-Notepad as WordPad with all the UI for rich text formatting disabled.
There is configurable syntax highlighting in vscode.
Should an app like Notepad ever embed a WebView? (with e.g. tauri-apps/wry instead of CEF now FWIU)? Not even for a Markdown Preview feature IMHO.
When they introduced a mobile first UI onto a desktop OS...
When they forced mandatory Microsoft accounts...
When they started saving files that had no place being in one drive to the cloud by default and charging people for it...
When they announced the worst AI privacy disaster in computing OS history...
When their updates refused to install cleanly and bricked people's computer to the point of hardware damage...
Seriously thinking I might have Stockholm syndrome at this point. To me the best windows would be Windows 11's kernel and libraries with Windows 7's UI and apps. Because it's been all down hill (generally) since there.
For me it's currently the minimal-hassle way to make my Steam library runnable. But it feels like we're moving in a good direction thanks to Valve's efforts where one day I may be able to never boot into Windows on my PC.
That's when I jumped to Macs and haven't looked back since. Windows is just a glorified game console to me now, but I have enough fun with PS5/Switch exclusives.
Though macOS is also becoming annoying, not quite to that breaking point yet, but worrying
Meanwhile Linuxland seems like a chaos of 10000 people who all think they're right, under an anal overlord
Maybe it's time to dig the Commodore 64 back up? :')
But who cares though, soon AI will make operating systems meaningless, right?
Does anyone now how to achieve that? What happens when you replace the kernel in a Windows 7 installation with the one from Windows 11? How is the manual update procedure for kernels on MS Windows?
So the people taking pot shots at the developers, I guess, maybe be more specific with what they did wrong and what they should have done instead. Because if you actually understand the history/circumstances (and the fact it was a third-party hosting provider compromised), one would expect more blame on the systemic under-funding of OSS than "developers bad."
Are people wanting them to create a business, monetize Notepad++, so that they no longer have issues with hosting/certificates? I'm guessing not.
Theyre also very political and giving them access to my machine now feels even more risky.
20260202 https://news.ycombinator.com/item?id=46851548 Notepad++ hijacked by state-sponsored actors (917 points, 543 comments)
20260203 https://news.ycombinator.com/item?id=46878338 Notepad++ supply chain attack breakdown (384 points, 198 comments)
20250630 https://news.ycombinator.com/item?id=44426049 High-Severity Vulnerability in Notepad++ (39 points, 14 comments)
20230904 https://news.ycombinator.com/item?id=37385920 Multiple Notepad++ Flaws Let Attackers Execute Arbitrary Code (83 points, 39 comments)
20230830 https://news.ycombinator.com/item?id=37320304 Buffer Overflows in Notepad++ (68 points, 61 comments)
20230829 https://news.ycombinator.com/item?id=37311068 Notepad++ v8.5.6 still vulnerable to possible arbitrary code execution (18 points, 3 comments)
20211209 https://news.ycombinator.com/item?id=29499002 StrongPity variant hides behind Notepad++ installation (45 points, 28 comments)
20191030 https://news.ycombinator.com/item?id=21395251 Notepad++ issues attacked by Chinese commenters (237 points, 110 comments)
20191030 https://news.ycombinator.com/item?id=21400526 Notepad++ repository is being spammed after “Free Uyghur” release (82 points, 36 comments)
20190317 https://news.ycombinator.com/item?id=19329330 Notepad++ drops code signing for its releases (496 points, 327 comments)
20170308 https://news.ycombinator.com/item?id=13824032 Notepad++ V 7.3.3 – Fix CIA Hacking Notepad++ Issue (1101 points, 291 comments)
20150112 https://news.ycombinator.com/item?id=8876823 Notepad ++ hacked for Je Suis Charlie comments(web archive link) (65 points, 74 comments)
You can make old Notepad be the default cmd line by going to Apps > Advanced app settings > App execution aliases, and disable the Notepad setting
It can be installed easily via chocolatey.
EDIT: yes it does and it has actually been updated yesterday.
Assuming most people don’t need to open 16TB files, they might as well use VS Code.
For a UI I’ve been using VSCode. It is quite quick when you disable all extensions and most settings.
> eMacs
I love Emacs, but I don't see how a Lisp platform with a web browser, a Tetris implementation, and 4 terminal emulators (shell, term, ansi-term, eshell) can be considered 'lightweight'.
https://en.wikipedia.org/wiki/Notepad%2B%2B#Political_messag...
The possibility of software being a personal, creative, expressive endeavor (which often includes politics), something I believed in back when I was in university twenty years ago, is a feeling that's receded deeply into the past. That might be as much about me as it is about the world, but I miss it.
The creator is also very selective about the type of politics he supports.
0) Set "When Notepad starts" option to "Start new session and discard unsaved changes"
1) New file
2) Type "abc" - note the "X" to close the file changes to a "O" (pretend that's a circle) to indicate unsaved changes
3) Save file - "O" changes back to "X"
4) Type "def" - "X" changes back to "O" because "def" is not on the file on disk
5) Undo, "def" disappears, "O" incorrectly remains...
6) Redo, "def" reappears, "O" incorrectly changes back to "X"
7) Close file. No prompt to save unsaved "def". Reopen file. "def" is gone
> Unsupported Syntax Detected
> This file contains syntax that isn't fully supported in formatted view. Some content may not render as intended, and switching views could modify parts of your original Markdown. Do you want to continue?
Article: People systematically overlook subtractive changes - https://www.nature.com/articles/s41586-021-03380-y
(Modulo CR/LF, of course.)
For example, a prompt when opening the file like: "It's unclear what kind of data this is, here are a few options with a preview, pick which one you'd like me to use."
Annoying, but them's the breaks when you're making software and aren't willing to put in hard requirements about what it is expected to (not) operate on.
Apps like classic notepad are useful to have around, when apps that try to parse things like markdown get it wrong and the underlying file needs to be fixed.
All I really need is a basic text box with a scroll bar, and a way to feed it with bytes from a file.
To make it a well-defined challenge: the task is to find a way to create a basic notepad - a multi-line textbox that supports scrolling, and can be fed bytes from a file to render as text directly. Additionally, this must be achievable through simple means - simple enough to memorize - and must work on standard Windows 11 installation, with no extra dependencies to procure. Solution can be e.g. something I can type from memory into "Run" (Win+R) box, but could also be a short list of GUI steps (e.g. open some program, click on "Help", drag file to help box).
https://github.com/reactos/reactos/tree/master/base/applicat...
Maybe someone should submit a feature request for it.
What's next, in a few years we're rocking EDLIN when we need to operate on a text file safely?
edit.exe[1,2] actually. And it runs on Linux too! Linux had a real lack of good text editors.
This isn't bad at all given how most other software evolved in thr the intervening 30 years.
^+v::
Clipboard:=Clipboard
Send ^v
Cmd-L Cmd-V Cmd-A Cmd-C
(swap for Cmd for Ctrl on non-Mac)
Meanwhile, 2 weeks ago:
Windows Notepad App Remote Code Execution Vulnerability
Notepad was never fancy, but it was a reliable tool to strip formatting or take a quick note, and now I cannot even count on that.
Markdown presents a chicken-&-egg scenario that has dragged on for decades: tons of Markdown documents, but almost nothing with which to simply view (not edit) them as intended. Mystifying.
I think this explains the lack of viewers; they are simply not needed.
(also seeing all those marks isn't aesthetically good, hence the need for a viewer)
Second: If the formatting codes are going to be ignored by all the viewing applications, why are they in the document in the first place?
Every time this comes up, someone floats this weird "but all you need is a text viewer" argument... indicating that Markdown is pointless.
Markdown viewer for Linux
I know there are others and there are fine points. I would like to see a couple minor additions to support image placement (that aligns with Medium's editor) and finally a strike-through text notation. But that's about it.
Let's just say I haven't concluded my testing yet, it's ongoing :)
You need to buy 5 regular Windows licenses and then you'll be able to unlock the LTSC option. It works out to about $300.
(Update: Ah, title is a little misleading. This update doesn't introduce Markdown, it adds support for nested Markdown lists etc.)
Personally, I think they should've kept Notepad as-is and reincarnated WordPad instead, rewriting it and giving it Markdown instead of RTF. It already had the basic formatting interface and all. It would've been a pretty smooth transition.
The problem is that Markdown supports quite a bit, even tables, which lends to feature creep. It was already more sluggish without any of this due to moving Notepad to WinUI.
Maybe I'd mind it less if they put the new MS Edit in Windows by default, so again, there's a minimal plain text editor in the box.
This doesn't seem like a good idea.
And WordPad was built on top of the "RICHEDIT" window class, and exposed lots of the OLE features provided by the rich text control. "Insert Object" is a powerful and potentially dangerous feature with a lineage going back to the Windows 3.1 days. As long as your DLL is registered correctly, any document in an OLE-capable program can cause objects from that DLL to become instantiated and deserialized.
Getting rid of documents able to instantiate arbitrary OLE controls is a good reason to try to remove WordPad. It's not just some simple styled text editor.
This new "Edit" is completely tone-deaf in that it doesn't keep the keybindings from Notepad (i.e. no CTRL-H for find/replace, no F5 for the current date/time). You can't turn off the status bar or the line numbers. It doesn't follow the OS theme (instead pretending to be a text-mode application). It tries to be "helpful" with indentation.
At least they bothered to get Find Next with F3 right.
It would have been immensely better if they'd just ported the old MS-DOS EDIT / QBASIC over to Windows.
But in the world we seem to be heading toward, where you can only log into Windows with a Microsoft account, and where your Microsoft 365 subscription state controls which "edition" or "desktop experience" of Windows you get as said logged-in user (regardless of which machine you're logged into)... there'd be no need for Wordpad.
In that world, Word the software package would always be pre-installed. (Why? Because even if you aren't paying for M365, someone who is could always log into your PC as a roaming user; and that person would want Word to work immediately without having to wait for it to download+install.)
And in a world where Word the software package is always preinstalled, then Microsoft could just let anyone launch Word (whether they have an M365 subscription or not); and then, at launch, rather than just putting a paywall in the face of anyone without an M365 subscription, Word could instead use the logged-in user's M365 licensing state to determine whether the spun-up Word process should run the full-fat Word UI, or some kind of degraded unpaid-mode Word UI.
And "Word running with some kind of degraded unpaid-mode UI" could be every bit the "Word lite" offering that Wordpad is. Which makes Wordpad itself redundant.
(The only weird part to me, is that they deprecated/removed Wordpad before pulling the trigger on all of this.)
Do you need to log in to notepad now? What in the actual hell is going on?
Then I'd probably have a decent print to pdf function as part of it.
wordpad is all-included on its own
This tool would have been so useful 25 years ago when I had to manually recolour every pixel in the contour of the cool photo I was editing for my new desktop background because the fill tool didn't recognise the background properly.
It's a drop-in replacement for Notepad that does add a few extra features, but does not have even the minimal suite of features that something like Notepad++ has. Where Notepad++ is great for code editing and extensible functionality via plugins, Notepad2 is more suited for people who just want Notepad, without the Windows/Microsoft. It has line numbers and (limited) syntax highlighting and a dark mode - bits and bobs like that - but it does not have tabs and ftp-on-save and the more complex stuff that requires a larger binary size.
It's free, it works like Notepad, and it acts like a bare bones text editor. In many, many cases, it's exactly what I want, and it's always exactly what I want in cases where my original intention would have been to use Windows' Notepad.
Oh boy.
But this is just following a pattern, the enshittified even calc.exe and mspaint. Previewing pictures in windows is shamefully slow because the previewer is also a bloat.
My diagnosis is that Microsoft doesn't have good technical leadership. It has spread the risk of bad decisions by individual leaders by spreading it amongst too many decision makers, and those people aren't always technically apt, or they have aptitude within their specific domain of expertise. Why is the start menu in react native for example.
they also have a crippling illness in the form of sunken-cost fallacy. Even when no one is especially depending on it, they go all-or-nothing on tech stacks and design patterns. Marketing and branding ultimately, I think is their biggest problem. You know how they name everything terribly? that's trying to capitalize on existing branding. This is fundamentally the mindset of salespeople. they could be spinning a new app, or making a vscode-lite ship with windows, but brand familiarity is why they're messing with notepad.
It is truly dumbfounding, they're being run like HP and IBM but because of how much the world relies on them, and because of Azure they're making so much profit.
Why are the shareholders no enraged even more? To have such a vast marketshare and failing to capitalize on it is terrible. They could be doing better than Apple. Even apple sees the writing on the wall and adapts their strategy fundamentally by starting to make their own silicon. It's like having a barn full of chicken that lay golden eggs, but the farmer is slaughtering them for their meat, and the farmer's employer doesn't care because chicken meat is still making good enough profits.
It's funny because they are actively destroying existing branding these days. Like how they renamed Office after their failed AI assistant, rather than the other way around.
From the security side, everything is Microsoft Defender. When talking to people I have to say things like "defender but the AV thing that's on by default, not the paid cloud thingy, and by that I don't mean the cloud protection one but the thing that protects endpoints using cloud stuff". They can't come up with good names and they confuse the crap out of their users. I hate to say it's just MBAs, since I don't really know but that'd be my guess. Someone at an Ivy league school somewhere is perpetuating this perhaps?
Is there anything big and exciting out there still driven by taste and vision rather than metric bumps?
Microsoft has already positioned VS Code as its code editor and OneNote as its notetaking app. Why should Notepad compete with these offerings?
Anyone's got the CEO's number?
Tell him I don't charge for my genius management advice most of the time.
Before you know it every month this thing will appear over the top of what you actually want to do.
I never use Notepad anymore. I have been using Pulsar, which is okay, but not exactly what I want.
I want a text editor that can do markdown if I want, spell check, minimal tool bar with some formatting shortcuts, etc.
I'd love it if a "dumbed down Typora" had a love child with Notepad.
Surprisingly, some of the projects such as AkelPad are still alive.
Win32 made things easier, as well as things like Delphi and Scintilla later.
Just checked my archives, and my own naive but functioning attempt measures whole whopping 36520 bytes, though not without the help of an executable packer, which was a fashion then.
Mostly works fine under Wine, though it is about the legal US drinking age.
It looks like to me that it stores its settings at "%LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\Settings\settings.dat", which is some binary format.
Why is registry being abandoned? If it is, why isn't ini or json or a plain text format used? Who are working at Microsoft now, abandoning both the windows ways to approach tasks, and also the other generic sane default approaches?
I'm looking for a plain and simple text editor with no programmers' features—no line numbers, syntax highlighting, etc.—no tabs or MDI whatsoever. No, I'm not looking for something with "you can turn these off", just a complete reimplementation of Win95 Notepad made via black-box testing.
I also like sometimes having multiple files open at once and drag the windows around my monitors as I need to and you can't do that in Notepad++.
Also Notepad++'s UI is bloated. There's just too much going on.
And please don't suggest I muck around in settings, I'm not interested in spending hours mucking around in a gigantic bloated settings dialog, I want something that Just Works™ with no configuration just like Win95 Notepad.
Edit: My specific use case here is for viewing files, not editing them. I use a different editor when I'm actually writing stuff but for browsing I just want old Notepad.
Maybe Notepad is actually saving LF, but marks the file as CRLF and some WSL translation layer then triggers and removes LF, because they are not CRLF?
I hope they give notepad a keyboard shortcut to transition to ascii only like textedit has on the Mac
They are convinced it needs to be a worse vscode when all I want is something to edit plain text files.
Adding RTF and a wysiwyg markdown editor is the last thing that I want from something like notepad. When I open notepad, I still want to see the characters that are present. Heck, I'd like to be able to see the difference between a space and a tab. I'd want to be able to see which type of line ending are being used (and switch to the correct one, \n) Hiding characters is antithetical to the reason I'd use notepad in the first place.
I want to be able to search text and see text. Not compose a document or talk to an LLM.
I tried to take advantage of it, but the implementation felt really clunky (formatting seemed to be via menus only), so I’ve stuck with .txt files.
> To use Coloring book, you will need to sign in with your Microsoft account.
you will need to sign in with your Microsoft account. My god they love to identify you.
Notepad should be last thing they should be fiddling with.
I am sad that we have to install 3rd parties for basics now.
( In case you forgot: https://www.youtube.com/shorts/Vw1rMkUFqyc )
edit: just checked the version that ships with Steam on Linux, yep, works great in a VM
- Notepad: Plain Text
- Wordpad: Rich Text
- Word: Documents
Seriously? Markdown is the preferred method for rich text these days, so why didn't they just turn WordPad into a WYSIWYG Markdown editor?
They also shove Copilot into it, but that's a whole different problem. Who is this current iteration of Notepad actually made for?
- There wasn't anything that comes with Windows that natively supports it (before now)
- All your favorite text editors don't support it natively, and plugins vary
- You can pay for a nice markdown editor but for some reason your more powerful usual text editor is still free?
- You can open VSCode, which is hilarious overkill if you just want to take some notes. Obsidian is excellent but same problem.
- Maybe something I'm missing?
Basically I think it is a great thing if I just get a lightweight markdown friendly editor built in, because I'll probably use it all the time.
...except if it immediately leads to a CVE, I guess.
The whole point of notepad was a plain text editor.
Wordpad was the lightweight document creation software.
Lately I've been doing the same for other small utilities. Roughly half the little tools I use are ones I generated and kept because they’re predictable and easy to audit.
The point isn't replacing built-ins; it's reducing dependence on shifting defaults. I want to care less about what the software/os vendor changes this time.
I recently used Windows Sandbox and was surprised that it does not have notepad. And why? Because it's a Store App now and that's unsupported inside the Windows Sandbox.
Notepad is supposed to be dumb, not Microsoft!
I can't even get visual studio code to stop showing that right-hand sidebar every time it opens up, regardless of what settings I use. It seems to work for a while, and then it appears again like magic.
I'm not sure how many more times they have to hit you straight in the face before you realize you're a victim here and need to get away from the abuser as much as you can, not try to "salvage" the situation.
recent vuln asside (big caveat ill admit) idk why you would use notepad at all when N++ exists
I do think notepad recently got those, but for a long time it was a compelling reason to use notepad++.
And you can avoid copilot.
Get-AppxProvisionedPackage -Online | Where-Object { $_.PackageName -like 'Microsoft.WindowsNotepad*' } | Remove-AppxProvisionedPackage -Online
I don't have the bandwidth to babysit all the different ways MSFT tries to break tools to bother using them.
It's not fine just because you sneak a button to (temporarily) get rid of it. Just make features worth enabling instead.
Is it because the average person isn't as tech savvy as most (if not all) HN readers to know any better, and those companies want the headcount of usage to look high to please stakeholders?
Enshittification at its finest stink.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
Fun fact: you can uninstall Notepad!
The truth is, unless Notepad got some kind of makeover, it was a useless vestige. It obviously wasn’t a good text editor for plain monospaced text. Having basically zero features didn’t serve anyone - why not use Notepad++ or vim in that case?
I think the most popular use of notepad is to read text files quickly and these days that often includes Markdown files. It makes perfect sense for Notepad to evolve into something that’s actually useful for lightly formatted text formats.
but i dont think most people here are complaining because of security risk... otherwise they wouldnt be recommending things like notepad++, other obscure editors, or editors with way larger code bases.
I've spent a long time building up my muscle memory. I don't want my tools changing out from under me. If they wanted to ship an "enhanced" notepad they should have called its something else.
But we think we're right and still we thought they were wrong.
If we were in a PHP forum, this would be my signature: I'm getting too old for this shit.
Just make your own damn notepad if it bothers you lol.
Somebody should probably tell Microsoft we’ve all moved on to better things like Notepad++ (even when their update supply chain gets compromised).