The article explores the "ms-notepad://" protocol handler introduced in recent Windows 11 builds. The researcher demonstrates how this handler can be used to launch the Notepad application via custom URI links, highlighting its behavior when handling filename arguments and the resulting file path resolution, including attempts at directory traversal using relative paths.
Furthermore, the analysis reveals a /TESTING command line argument within the new Notepad version that processes Base64 encoded strings to resolve file paths. This discovery allows for opening specific files through both the command line and the protocol handler, suggesting that the continuous addition of URI-based protocols in Windows provides an expanding attack surface for security research.
Top comments (0)