Windows PCs could be at high risk from a huge security flaw triggered by one of the platform’s most popular software offerings.
A leading security researcher has brought up a vulnerability that would let hackers take over control of a complete PC simply by loading some malicious code using Notepad.
Once exploited, this could allow hackers to gain complete access to overall processes within the system. The vulnerability dates back to the time of Windows XP, meaning a broad range of devices could still be at great risk.
Tavis Ormandy, who is the Google Project Zero expert, found the flaw, which exploits a shortcoming in the Windows Text Services Framework that oversees keyboard layouts and text input.
An element within the system, CTextFramework, can be hacked through apps that interact with it to process showing text on the screen. Ormandy observed that the security protocols governing the system can be bypassed easily, allowing hackers to escalate their access privileges and gain access to multiple systems across the victim’s device.
These are the type of hidden attack surfaces where bugs last for years,” Ormandy said. “It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.”
The flaw, which is officially known as CVE-2019-1162, is included as being patched in Microsoft’s monthly Patch Tuesday security release, which must be installed by users as soon as possible.