Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...

True, not related to CoPilot, but if I understand your conclusion right (which I'm not sure about), it's not _just_ that links are clickable now, it's because Notepad actually does something with the links. Otherwise it'd be a browser vulnerability, and Notepad couldn't seriously be blamed.



It's in fact the opposite. Browsers show a popup that asks if you really intended to click a link with a non http/https handler, notepad does not.

The actual RCE here would be in some other application that registers a URL handler. Java used to ship one that was literally designed to run arbitrary code.


Ah, got it. Very different from where I suspected the issue then.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: