Windows Notepad markdown links trigger RCE risk

This is the classic feature-creep security story: a tool users mentally classify as harmless picked up just enough rendering and link behavior to become an execution boundary.

• –The dangerous step was Notepad treating Markdown links as launchable protocols instead of inert text, which breaks old trust assumptions around `.md` files.
• –Exploitation still needed the victim to open the file and Ctrl-click the link, but that is well within normal phishing and social-engineering playbooks.
• –Microsoft's fix adds an unsafe-link warning for non-HTTP protocols rather than fully blocking them, so the patch reduces risk more than it eliminates it.
• –For developers and security teams, the bigger lesson is to re-threat-model "simple" built-in tools whenever vendors add preview, rendering, or rich-content features.