> * Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.

Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.

Thats not the case here.

Web browsers warn you about opening arbitrary protocols. And you have to select the program that will open it.

This Notepad vuln, allows you to click things like ssh://x....

> This Notepad vuln, allows you to click things like ssh://x....

Which just opens up SSH connecting to a server. Is that really RCE?

It'll also only work with URI schemes that are registered on your system. It's not running arbitrary commands - software you install on your PC registers URI schemes and sets what command it should run when opened. It's then up to that software to parse the URI and handle it properly. If it doesn't then the RCE belongs to them because they registered the URI scheme and failed to handle it securely. Having an allowlist of URI schemes in Notepad isn't going to fix it.

It doesn't only work with protocols registered by "your system" - Notepad doesn't register protocols. And Notepad is the user agent, here.

It works with your _locally_ registered protocols, not just the _remote_ protocols.

Which is why it works with JScript. And Powershell. And Visual Basic.

This is a bug that replicates why IE 4 was called insecure. Its not something that should ever surface again, today.

It is... The exact example of what an RCE is. _Local_ code executed by a _remote_ command.

As far as I can tell there is no URI scheme registered on Windows for JScript, PowerShell, or VBScript. They have file associations but those are not URI schemes.

How old? The 2023+ models with HW4 are pretty good at FSD. A 2021 model with HW3 was scary bad when I tried it about a year and a half ago.

> I tried it about a year and a half ago.

So, you do not own a Tesla.

I do. I replaced that HW3 model 3 with a HW4 model Y.

Creating hydrogen isn't the only problem. Storage and transportation is a big one since it is an actual gas instead of a liquid. Needs to be compressed, causes embrittlement, highly flammable, etc...

> I am not sure about TypeScript. I think having static typing is just too good of an insurance against stupid bug and for your own sanity.

TypeScript has static typing though?

I never understood why state management is overcomplicated in React. For some reason most people use something like Redux which has a very unintuitive API. There are other state management packages available that are so much easier to use and understand, like MobX.

https://github.com/mobxjs/mobx

To shine a light on the mystery, before React had (a) hooks and (b) a stable context API and (c) tanstack-query/react-query or GraphQL - state handling WAS a mess. Thats when redux/mobx etc. made more sense. Try to build something with a pre-2019 version of react and you will understand the need.

Redux is an implementation of the elm architecture (Tea) which is used for UI state in a lot of languages and frameworks. JS/TS is just not a very ergonomic language for it so it becomes painful quickly.

https://guide.elm-lang.org/architecture/

Is this 2019?

I always see this argument but from experience I don't buy it. FSD and its cameras work fine driving with the sun directly in front of the car. When driving manually I need the visor so far down I can only see the bottom of the car in front of me.

The cameras on Teslas only really lose visibility when dirty. Especially in winter when there's salt everywhere. Only the very latest models (2025+?) have decent self-cleaning for the cameras that get very dirty.

FSD doesn't "work fine" driving directly into the sun. There are loads of YT videos that demonstrate this.

For which car? The older the car (hardware) version the worse it is. I've never had any front camera blinding issues with a 2022 car (HW3).

The thing to remember about cameras is what you see in an image/display is not what the camera sees. Processing the image reduces the dynamic range but FSD could work off of the raw sensor data.

It doesn't run well on HW3 at all. HW4 has significantly better FSD when running comparable versions (v14). The software has little to do with the front camera getting blinded though.

No, works fine when it's snowing and roads are covered with snow (no lines visible). At least on the latest HW+SW.

Waiting for someone to be ready to (actively) monitor it?

I think there are more text editors around that render clickable links than there are that don't. Even your terminal probably renders clickable links.

Despite the scary words and score this wouldn't even be a vulnerability if people weren't so hard wired to click every link they see. It's not some URL parsing gone wrong triggering an RCE. Most likely they allowed something like file:// links which of course opens that file. Totally valid link, but the feature must be neutered to only http(s):// because people.

Ed doesn't.

Which 10 buttons?