Windows PCs could be at risk from a major security flaw triggered by one of the platform’s most popular software offerings.
A leading security researcher has highlighted a vulnerability that would allow hackers to take over control of an entire PC simply by loading some malicious code using Notepad.
Once exploited, this could allow hackers to gain access over all processes within the system. The flaw dates all the way back to the time of Windows XP, meaning a wide range of devices could still be at risk.
Google Project Zero expert Tavis Ormandy discovered the flaw, which exploits a shortcoming in the Windows Text Services Framework that oversees keyboard layouts and text input.
A component within the system, CTextFramework, can be hacked through apps that interact with it to process showing text on screen. Ormandy found that the security protocols governing the system can be easily bypassed, allowing hackers to escalate their access privileges and gain access to multiple systems across the victim’s device.
These are the kind of hidden attack surfaces where bugs last for years,” Ormandy said. “It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.”
The flaw, officially known as CVE-2019-1162, is included as being patched in Microsoft’s monthly Patch Tuesday security release, which should be installed as soon as possible.
Via The Register