being sent a sketchy file and then asked to click on a link in it isn't "remote" code execution actually

also Notepad is becoming more of a Rich Text Editor than a basic text editor and while I have Opinions on it going in that direction it makes a lot of sense "notepad has never had a vuln before!" but WordPad has. and TextEdit on macOS has. and Notepad is pivoting to be like those two

@invoxiplaygames.uk notepad is supposed to be the thinnest possible glue over the plain text control. wordpad is the same, except the rich text control. so, unless the plain text control has suddenly grown markdown features,,,,,

@invoxiplaygames.uk i was thinking about this for a while and I think my opinion is that it's ok to call it RCE (you're tricking the user into downloading and running remote code) because we currently lack taxonomic specificity around the "it's an interactive trick based on subverting user expectations, not traditional RCE" aspect of it.

the key problem is calling this class of document-based code execution bugs "remote", when the actual exploitation vector is inherently filesystem-local.

@invoxiplaygames.uk so like... LCE? idk. but yeah, I'm ok with folks saying "RCE" for this, as long as the interaction caveat is clearly stated.

@gsuberland @invoxiplaygames.uk Calling this RCE is at least consistent with MS's own taxonomy (see previous Office vulns). CVSS UI:R is also a meaningful datapoint for those parsing their feed.

@gsuberland yeah. technically yes it's RCE in the sense that you can use it to run unintended code from a remote source. but the interaction vector itself is very local

(and my issues are that people don't clearly state the interaction caveat... especially given the target is a Windows product where people are naturally going to want to overexaggerate everything and blame AI, somehow)

@ipg yeah, very true.

@buherator @invoxiplaygames.uk yup. it's more of a communications issue. if you're the sort of person who knows what a security feed is and how to read a CVSS score then you know that "RCE" can really cover the gamut. but communicating the risk and impact to people who don't know that is important, especially given how often this stuff leads to misinformation (and even harmful outcomes).