Hacker News

Search for this: "Revenue, classified by significant product and service offerings"

You can also kinda read the 3 categories as office, azure, windows. But that is a gross oversimplification.

But it doesn't matter that Azure is garbage, because the people they market it to are big enterprise CTOs, not the actual engineers who'll have to use it. Azure has quite a few of the S&P500 using it.

> Microsoft is Windows. Anyone saying otherwise is completely delusional.

What's delusional is making an unsubstantiated claims and then dismissing any counterarguments before they're made.

> Most of M$ office software has alternatives (Google Docs, OpenOffice...)

True. Yet MS Office is still the de facto standard.

> Github is constantly crashing and burning

True. But that doesn't mean it isn't still a business strategy for MS.

> Azure is garbage

Also true. But that doesn't mean it isn't profitable: "Microsoft Cloud revenue increased 23% to $168.9 billion."

> and they uttery killed Xbox

Quite the opposite. Xbox is thriving: "Xbox content and services revenue increased 16%."

> Oh and Linkedin is for actual psychopaths.

That's subjective. And even if it were true, that's got nothing to do with profitability (eg look at Facebook).

> If Windows dies, all of their other junk that is attached to the platform will die as well.

First off, literally no-one is claiming Windows is going to "die".

Secondly, even if it were to "die", you've provided no evidence why their other revenue streams wouldn't succeed when it's already been demonstrated that those revenue streams are growing, and in some cases, have already overtaken Windows.

Holding one's unsubstantiated personal beliefs above all evidence and rational argument is, in fact, delusion.

The evidence in TFA is that Microsoft is much more than Windows. So much more in fact that one can make a very reasonable argument that it's no longer a top priority for them.

The delusion is shutting your eyes, covering your ears, and screaming about how literally everyone except you is wrong.

> LinkedIn is for actual psychopaths

This is true. Peruse r/LinkedinLunatics to see them in action

This is why I have been saying that Microsoft is about to go the way of Sears when the AI bubble pops.

I was really hoping this CVE would have been caused by the Copilot integration into Notepad.

Calculator hasn't been infiltrated by Copilot yet, but I'm sure the day is coming.

It's hard for me to imagine anyone balking at this feature. My core note taking workflow frequently involves:

1. Note about blah 2. Paste link to blah 3. Open that link later when reviewing my notes.

Blah is sometimes a web link, sometimes a link to a doc on my system, and sometimes a link to an item in my todo tracker. The better analogy is this is like a pencil having an eraser built in.

I use Drafts instead of Notepad, but if I used Notepad I would want to be able to easily open links in my notes. When I do find myself in Notepad, it's because I double clicked on a readme file that often contains links to resources I need.

> Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light.

> Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.

> Every time GM introduced a new model, car buyers would have to learn how to drive all over again because none of the controls would operate in the same manner as the old car.

> You would press the 'start' button to shut off the engine.

If you live long enough, satire eventually becomes reality.

Unpopular opinion: rudimentary Markdown support is not entirely far-fetched even for a dumb text editor.

Even though I’m all against feature bloat, I think that making Markdown hyperlinks clickable is still within the Overton window of what a simple editor should be doing.

The problem is notepad itself would download and execute bad stuff if you click the evil link. If you would paste that same link in a browser you'd be ok.

And the problem is a notepad app is expected to be dead simple, have few features, and be hard to get wrong while implementing.

It could be. But why is notepad doing anything other than rendering text? I don't expect it to make links clickable, or render markdown.

Just imagine all the problems that wouldn't have occurred of email remained text only!

Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE

I find notepad useful for sanitising clipboard content.

No bold text, italics, bullet points, invisible html.. Just get the text and can copy it to paste again somewhere else.

Ala Cmd+Shift+V on Mac

Notepad is so slow at loading large files that it crashing quickly is a feature.

The windows 7-10 versions that could open anything would just get stuck for half an hour when you opened the wrong thing in them, which was rather annoying.

The reason being it is a plain text edit component, with a window around it, hence the limitation.

For those of you on macOS who still want to benefit from arguably the best drawing application ever conceived, https://jspaint.app/ is THE way. Use it all the time when editing screenshots.

Bonus point: that Windows 95 style "error" beep when pasting too large image. Always sends the shiver down the spine and confuses the coworkers around (we're an all-Mac shop).

Kind of a weird feeling that in order to get the better Windows 11 experience one requires programs from four operating system versions earlier.

Windows 11 also takes a huge amount of time to get working as i intend. I have to remove a lot of 'features' and heavily optimize some processes. It's stable and it works, but i'm getting more and more annoyed by it that upcoming updates sometimes destroy all my effort.

Kinda wish i could run everything my family wants on Debian. I know i could do that right now, but the wife and kids will never get used to that if they have to use Microsoft products in their working and school life.

Might as well just use Windows 7 if the security surface is this bad on later windows.

I have the mspaint.exe from the same version too :P. It complains about registry stuff on launch but other than that it works fine. There's no spray can in the modern paint!

There used to be a website that has these installable.

Update - it's just the games; I thought it had notepad and calc as well

I feel bad for anyone at MS who thought these applications needed anything more than bugfixes. Welcome to the Notepad team, the entire world would be better off it you did nothing at all!

Also, delete the key NoOpenWith under HKEY_LOCAL_MACHINE\Software\Classes\Applications\notepad.exe to enable file associations.

Specifically, ShellAbout: https://learn.microsoft.com/en-us/windows/win32/api/shellapi...

How do you write without being able to read with that version?

What? Did they accidentally revert the improvements they already made to previously shipped versions of the old notepad program?

Affermative. You have unlocked the following achievement: "Get a head start of 45 minutes when we start destroying humanity".

That recent Notepad++ incident was a supply chain attack, not a vulnerability in the original program.

The OS provided option can be bare bones, stable, secure and just utilitarian. This promotes having people choose their own tools for the features they want and not really expecting much other than reliability from the OS version. They didn’t need to mess with a good thing.

Ok, tabs, I do like the tabs.

> a mountain of legacy and they are fine.

telnetd CVE-2026-24061. It's embarrassingly simple exploit but took years to be discovered.

> When telnetd invokes /usr/bin/login, it passes the USER value directly. If an attacker sets USER=-f root and connects using telnet -a or --login, the login process interprets -f root as a flag to bypass authentication, granting immediate root shell access.

"Fine"

Why does every Linux distro under the sun try so hard to protect the garbage under /usr/bin/ and /etc/ when literally the only files that matter to me are in /home, which is a free-for-all?

Unixes like Linux are not immune.

There's also good old edit... ;-)

https://github.com/microsoft/edit

Yeah, it's a re-creation of edit, but it's pretty great... also runs outside windows.

Visual Studio Code is the compromise

Neither is Neovim, Sublime Text, Visual Studio, ed, etc... So what? This is still unacceptable

>Creating a separate User (User folders are permission locked to their user by default, system binaries cannot be modified without admin access)

Common practice, and even encouraged by Windows itself, is having the administrator account be the only account. This misuse is a very common thread in Windows systems, and security breaches alike.

If I had to guess, the mandate to cram AI in everywhere came down from Nadella and the executive level with each level of management having KPIs for AI in their product all the way down. Much like the "everything has to be .NET even though nobody has any idea what .NET means" when it was first introduced and every MS product suddenly sprouted .NET at the end of their names. When executive management gives stupid non-negotiable orders, they get stupid results.

It is a bit odd that they basically took one of Microsoft’s most universally hated features (Clippy) and then decided “let’s put this into literally every part of the OS”.

I think they came up the the exact right answer like:

> How do I add more features to get a promotion

It’s just resumé driven development. Corporate droids gotta justify their salaries somehow. It doesn’t pay to call software “done”.

But can it generate qrcode already?

As funny as the "Bush hid the facts" bug may be, there is a world of difference between an embarassing mistake by a function that guesses the text encoding wrong, and a goddamn remote code execution with an 8.8 score

> and we have other battles we fight.

Except no, we don't. notepad.exe was DONE SOFTWARE. It was feature complete. It didn't have to change. This is not a battle that needed fighting, this was hitting a brick wall with ones fist for no good reason, and then complaining about the resulting pain.

> nailing down Unicode and text encodings was still considered rocket science. Now this is a solved problem

I wish…

Detecting text encoding is only easy if all you need to contend with is UTF16-with-BOM, UTF8-with-BOM, UTF8-without-BOM, and plain ASCII (which is effectively also UTF8). As soon as you might see UTF16 or UCS without a BOM, or 8-bit codepages other than plain ASCII (many apps/libs assume that these are always CP1252, a superset of the printable characters of ISO-8859-1, which may not be the case), things are not fully deterministic.

Thankfully UTF8 has largely won out over the many 8-bit encodings, but that leaves the interesting case of UTF8-with-BOM. The standard recommends against using it, that plain UTF8 is the way to go, but to get Excel to correctly load a UTF8 encoded CSV or similar you must include the BOM (otherwise it assumes CP 1252 and characters above 127 are corrupted). But… some apps/libs are completely unaware that UTF8-with-BOM is a thing at all so they load such files with the first column header corrupted.

Source: we have clients pushing & pulling (or having us push/pull) data back & forth in various CSV formats, and we see some oddities in what we receive and what we are expected to send more regularly than you might think. The real fun comes when something at the client's end processes text badly (multiple steps with more than one of them incorrectly reading UTF8 as CP1252, for example) before we get hold of it, and we have to convince them that what they have sent is non-deterministically corrupt and we can't reliably fix it on the receiving end…

There is a difference between a bug you laugh at and walk away and a bug a scammer laughs at as he walks away with your money.

When I open something in Notepad, I don't expect it to be a possible attack vector for installing ransomware on my machine. I expect it to be text. It being displayed incorrectly is supposed to be the worst thing that could happen. There should be no reason to make Notepad capable of recognizing links, let alone opening them. Save that crap for VS Code or some other app I already know not to trust.

Embarrassing bugs are not RCEs. Also the industry should be more mature now, not less. But move fast and break things, I guess...

To be honest, the 'bush hid the facts' bug was funny and was not really a vulnerability that could be exploited, unless... you understood Chinese and the alternative text would manage to pursuade you to do something harmful.

In fact, those were the good days, when a mere affair with your secretary would be enough to jeopardize your career. The pendulum couldn't have swung more since.

https://en.wikipedia.org/wiki/Bush_hid_the_facts

I am pretty sure it's possible to fix that entire category of bugs without introducing RCE vulnerabilities.

Fascinating reading about that bug, thanks for sharing

> Now this is a solved problem

Is that so? I ran pretty often in problems with programs having trouble with non-ANSI characters

It's not solved, we just don't have to guess the encoding any more because it's always UTF-8.

Why does my text-editor need to do "encryption at rest"? If I want data encrypted, I store it in an encrypted drive with a transparent en/decryption layer.

> FIPS-compliant bindings (OpenSSL)

Using FIPS mode can be insecure because the latest FIPS-compliant version can be years older than the latest non-FIPS one with all the updates.

The only time it makes sense to use the FIPS version is where there is a legal or contractual requirement that trumps security considerations.

What does notepad need openssl for?

That's why we have text editors, markdown viewers, image viewers, etc.

You were never able to "click a link" in Notepad in the past.

Mixing responsibilities brings with it lots of baggage, security vulnerabilities being one of them.

Is it giving MS too much credit to suggest that they probably didn't just vibe code their new notepad?

Large swathes of this industry have an obsession with investing 10x more resources into the wrong thing, than simply fixing the underlying issue.

Which 10 buttons?

> Neither vim nor Notepad are purely for displaying text though.

Up until fairly recently, that's exactly all Notepad did.

Vim has those bugs because of bloat, and now Notepad does too. AI, Markdown, Spellchecker, etc, nobody asked for this bloat.

vim is a far larger program than a text editor.

notepad was always a plain text editor. It had enough problems with unicode and what that means to be "plain text".

Mine was when they asked me to rate the calculator on the store.

You are mistaken:

> The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.

> If I read it correctly (but could be mistaken), it runs with setuid root

I am certain you are mistaken. I couldn't find anything that hints at notepad running with elevated privileges.

You do have a point, because it shows an unfortunate inflation in words. That said, on a fresh windows install, notepad was usually an island of stability in a sea of sorrow. The day I saw AI introduced to it, I knew the end is nigh.

I had a USB that I carried around with me with a whole bunch of portable apps on it. That allowed me to have some kind of "standard environment" I could rely on.

I've since migrated to Linux 100% (outside of work) and whilst there are the odd annoyances, it's been a breath of fresh air compared to Windows. And I can have a good chuckle almost once a week these days with each new Windows consumer hostility coming across the HN front page.

> the purity of "working with what's installed".

Oh, a kindred spirit!

I too absolutely love the notion of the base install, and what can be done just by means of its already available toolset.

(Fun tidbit: Did you know Windows comes with a bare bones C# 5 toolchain, with csc.exe, and even vbc.exe and jsc.exe?)

There's still old tiny Metapad. And also more modern and fully featured (but still light) Notepad 2/3/4 and Notepad++. For full replacement, i just renamed all instances to notepad.exe.bak, back then on Windows 7 & 10, and rename-replaced it with metapad.exe. Though, i guess with UWP apps (modern Notepad is one), it's just file associations nowadays. There's surely some mass-reassociate utility around?

Btw, nano is only 50/50 chance that's it's pre-installed. Learn some vim, will ya? ;)

EDIT.COM still works in dosbox

Except it keeps reverting to the new notepad every few days….

I’ve been fighting this for the last couple of weeks but it just doesn’t stick

> This has hurt me specifically. Since I work without IDEs, no VIM, no vs code. On linux I use nano, on windows I use Notepad. I like the minimalism and the fact that I have absolute control, and that I can work on any machine without needing to introduce an external install.

What's your day job? Are you self employed?

I’m not sure I understand what you’re trying to say. You could always edit system files with notepad, that was something that the program always excelled at thanks to its simplicity in both how it looked and behaved. And i fail to see the new features as anything but useless bloat.

I don’t know if it works for windows but on other operating systems if you hold shift while pasting it strips the special formatting. I don’t have a windows machine readily available but I hope even if it doesn’t work there this will be useful to other people reading the comment. I agree though. Basically the only format I ever want to keep is _sometimes_ the link with text. And even then usually not the exact coloring/indicators.

You can still do this in W11 notepad. Firstly, there's a global setting for having formatting/markdown being enabled at all, and secondly it only does the rendering for .md files. Finally, while formatting is enabled, and editting a markdown file, you have the option to toggle between formatted and "syntax" view (ie raw text).

Windows now has buttons in win-v (the clipboard helper popup) for this

These kind of surprises are the reason why we should switch off auto update on every software.

Wow that's a hit of nostalgia, I'd completely forgotten about metapad, but I loved it back in the day.

And it's hard to believe now, but yes, support for Ctrl+S to save file was a notable feature because notepad itself didn't support that back then.

I used to overwrite c:\windows\notepad.exe with Metapad. At some point Windows security made this a pain though!

One of the last straws that got me to migrate to Linux was how long it would take for calc.exe to open in Windows 10. Even on much older computers and much older version of Windows it was instant. Suddenly in the mid-2010's the calculator is so bloated you have to wait a few seconds for it to load? Fuck off.

It didn't always take a long time to load, but often enough that it was noticeable and 'worrisome' for the future of Windows.

I've found calc's currency converter feature frightening.

Oof. That's a special kind of stupid. I get how it happened, but like, they found a way to make calc bad while also bringing an obscure feature in modern browsers I hate with a passion.

It reminds me of King of the Hill where Hank says "Can't you see you're not making Christianity better and you're only making rock music worse?"

Looks like they logged in the first time in years to make a post https://news.ycombinator.com/item?id=46975123

And decided to jump in on some threads just as well.

HN is a psy-op.

Yeah, way more than the good old Notepad :)

copilot has nothing to do with this vulnerability

It's in fact the opposite. Browsers show a popup that asks if you really intended to click a link with a non http/https handler, notepad does not.

The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.

I just use the winxp wordpad.exe. (and calc paint notepad, and I use paint shop pro 4.12)

     ftype txtfile=c:\windows\NOTEPAD.EXE %1

Yeah it sucks. Got an MBP here which was my refuge from Windows. That's gone to hell too.

I am moving off onto an old desktop running Debian stable slowly as I don't really need a laptop. This also isolates me from a number of geopolitical and technology creep and lock-in related risks I have identified.

As someone who would like to get a new PC (but a desktop) for coding, and is considering a mac, why would you never buy a mac for coding ?

I'm currently running Ubuntu on this ancient thing (which I love actually), but I absolutely don't want Windows.

Do you have a moment to talk about Linux?

Install Linux

They changed how that works. Licenses are no longer tied to version, you get 3 years of updates no matter what the version is.

It’s $99 for something that is almost 5 years old at that point.

Windows and other OSes have application launchers that open whatever app you want, and those apps may have issues that cause it to download and run arbitrary code. if that's the logic here, then every application launcher is vulnerable to similar RCE.

if there's really nothing more to this 8.8 RCE CVE than that, this will finally be the thing that's makes me blackhole cve.org.

I 100% agree. I'm just trying to point out the problem isn't Microsoft AI slopping their software. Even if you slopped it, the software could turn out better than what they're putting out.

There must be something much worse than slop going on to get to this point.

Funnily enough, the core Windows API here that brings with it support for every URL scheme under the sun is plain old ShellExecute() from the mid-90s IE-in-the-shell era when such support was thought reasonable. (I actually still think it’s reasonable, just not with the OS architectures we have now or had then.)

This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.

so if you download a random EXE in your browser and run that, it can not result in compromise?

Yes, that is the definition consistent with historical use of "RCE": a component is accessible in such a way that it is remotely reachable and you can get full code execution access on the machine via that bug (subject to whatever limits the process has within the OS, such as running as a certain user ID or seccomp or such). This attack is less like an RCE in a networked web server and more like bad file parsing in a PDF reader

Last month it was the term "supply chain attack" that was abused to describe a situation where some vulnerable dependency could be abused in a downstream component. I guess every weakness in the Linux kernel is now a "supply chain attack" because it was in the supply chain and there is an attack, never mind that the term was originally about e.g. the liblzma/xz situation (specific attacks on a supply chain component, with no other purpose than attacking a downstream vendor)

I know I can't stop language change but I am getting a bit tired of how many tech people (who know better) go along with fear term inflation