Microsoft has issued a security update to fix a serious vulnerability in Notepad that could have allowed attackers to take control of Windows PCs through malicious Markdown files.
The company warned that a threat actor could exploit the bug by convincing a user to open a specially crafted Markdown (.md) file in Notepad and click on an embedded malicious link.
Microsoft says the vulnerability could cause Notepad to “launch unverified protocols” that load and execute remote files.
In a successful attack, malicious code could be downloaded and run on the victim’s machine, potentially giving the attacker the same permissions as the logged-in user.
The issue has been assigned a CVSS severity score of 8.8, classifying it as high risk. Microsoft says there is no evidence the flaw has been exploited in the wild.
The vulnerability is linked to Markdown support introduced to Notepad on Windows 11 in May last year, part of Microsoft’s broader push to modernise the long-standing text editor. The update added support for Markdown-style formatting, alongside other enhancements and AI-powered features.
However, the security lapse has reignited debate about feature creep in core Windows apps. Some security researchers have questioned whether adding network functionality and AI integrations to a traditionally simple text editor increases the attack surface unnecessarily.
Microsoft is urging users and IT administrators to install the latest Windows security updates immediately and ensure the Notepad app is up to date via the Microsoft Store.
The patch comes amid heightened scrutiny of text editors, following a separate security incident involving third-party app Notepad++.
