I’m willing to bet the only time most people use Windows’ ultra-basic word processor WordPad is if they have to open a document on their machine before Office has been installed. But WordPad is on every Windows system, and it turns out that a vulnerability that was patched in this week’s Patch Tuesday update exploited it.
As Microsoft explains:
The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This would be a difficult vulnerability to exploit, since it requires someone to accept a specially-configured file and for them to open it in WordPad. It also may fail if the user doesn’t have administrator rights. Nonetheless, it’s a reminder that apps bundled with the OS bring a security risk no matter how convenient they might seem.