Security researcher Tavis Ormandy, who is a part of the Google Project Zero team, has already unearthed some serious bugs and threats in the past. This time, he found a new zero-day vulnerability in the Notepad app which affects users of the Windows operating system.
The zero-day exploit can be used to open a Windows CMD window from within the Notepad app. Ormandy explains that this is clearly a exploit because the attacker can’t correctly click dialogs, which means it’s not a security bug.
“This is a real bug,” he said in multiple tweets as some people believed he was just playing around and right-clicking stuff.
Soon, some started to figure out a name for the exploit. As far as Ormandy is concerned, he is informally calling it “Notebad.”
Microsoft has already been notified about the zero-day exploit bug. No further details have been provided in the tweet, including which Windows versions have been affected. That’s because Google’s Project team has given a 90-day non-disclosure deadline to Microsoft so that the company can work on a security patch.
However, Ormandy said that he has managed to create a remote code execution exploit using the bug. He plans to publish the exploits and the details of the Notepad zero-day bug in a blog post as soon as Microsoft releases a patch for the same or the deadline ends. The bug will also be fully documented on a publically available bug tracker.