I'm being facetious of course, but this recent rhetorical trend of people confidently vouching for "pet" in "pet vs. cattle" is not a sustainable decision, even if it's admittedly plain practical on the short to medium run, or in given contexts even longer. It's just a dangerous and irresponsible lesson to blindly repeat I think.
Change happens. Evidently, while we can mechanistically rule out several classes of bugs now, RCEs are not one of those. Whatever additional guardrails they had in place, they failed to catch this *. I think it's significantly more honest to place the blame there if anywhere. If they can introduce an RCE to Notepad *, you can be confident they're introducing RCEs left and right to other components too **. With some additional contextual weighting of course.
* Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
** Under the interpretation that this was an RCE, which I question.
[0] https://www.zerodayinitiative.com/blog/2026/2/19/cve-2026-20...
> According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
> The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
> For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.
maybe we should separate "real origianl text-only editor" from "fancy text editor"?
windows already got wordpad... why even lay a finger on textpad?
Windows 10 explorer.exe is 100x faster than Windows 11 explorer, it's not even close.
It also signals the death knell for Windows native apps. Microsoft can't make them anymore. It won't be long until even Excel is a Electron sloplication.
I have a hard time believing this. I'm pretty sensitive to performance losses and I haven't noticed any difference between those. It wouldn't make sense either, given they should both host the same shell icon views. Are you sure the difference you're seeing is in explorer.exe? As opposed to something else, like a new shell extension or a new filesystem filter driver on Windows 11?
M$ has now introduced web-latency into the desktop along with their adoption of web-tech into the OS. You gotta get used to staring at that spinning blue circle, counting the many precious moments of your life draining away.
Ultimately, what difference does it make? The file explorer in Windows 10 is much faster than the one in Windows 11, and it's very noticeable. Turn on the old context menus, and try right clicking a file. Instant in Windows 10, visible delay in Windows 11.
It does offer some new features for businesses. Nothing useful for the consumer, and nothing to justify the massive performance loss
20231109 https://news.ycombinator.com/item?id=38212453 Windows 11 Update 23H2 is stealing users' IMAP credentials (666 points, 278 comments)
> the new Outlook is a thin wrapper around the cloud version, so the IMAP sync happens in the cloud, not locally
Btw, just before that I found this page regarding Edge, and this is why I paid more attention to these things: https://learn.microsoft.com/en-us/legal/microsoft-edge/priva...
That list is way too long for my taste, and it really indicated me that Windows became completely adversarial.
Somehow in this timeline AI can only be used to make things worse and sloppier
AI code that isn't properly guided and controlled by an engineer is just as sloppy as the human behind it.
AI is an accelerate for programming, but some developers create horrible code before AI, snd AI won't change that. It just lets them do it faster.
They forgot that Enterprises are made out of Users.
Write an app to display the (URL) argument passed and require the user to confirm or reject before running the browser using any of one or more default and configurable command line templates.
Add a "Install as default http, https, file:// uri handler" button in the settings gui. Prompt the user to install the app as default handler on first run.
Add opt-in optional debug logging of at least: {source_app_path:, url:, date_opened: } to a JSON lines log file