Password Managers Are Swiss Cheese - Threat Wire

The latest Threatwire episode delivers a packed cyber‑security briefing, spotlighting three headline stories: a critical flaw in Windows 11’s revamped Notepad, Discord’s upcoming facial‑age verification system, and a new academic analysis exposing weaknesses in leading password managers.

Microsoft’s Notepad now parses markdown, inadvertently allowing specially crafted files to hide malicious URIs that trigger remote code execution. The issue, catalogued as CVE‑2026‑2841, earned a 7.8 CVSS rating. Meanwhile, Discord announced it will roll out on‑device facial age estimation to gate age‑restricted content, assuring users that images never leave the device, yet the move has ignited a privacy backlash. The ETH‑Zurich researchers simulated full server takeovers of Bitwarden, LastPass, and Dashlane, uncovering 12, 7, and 6 viable attack vectors respectively; Bitwarden and LastPass showed complete vault compromise, while Dashlane suffered shared‑vault exposure.

Microsoft described the Notepad bug as “improper neutralization of special elements used in a command,” and Discord’s FAQ emphasized that only an age range is retained, never the identity. The password‑manager study highlighted real‑world attack scenarios, prompting Bitwarden to reiterate that no breach has occurred and all three vendors labeled the findings low‑severity. The discussion also referenced recent supply‑chain compromises, such as Notepad++’s update‑server breach, underscoring the plausibility of these attacks.

Collectively, these developments warn enterprises and consumers alike that even trusted utilities and widely‑adopted security tools can harbor exploitable flaws. Immediate patching of Notepad, careful evaluation of facial‑recognition deployments, and a reassessment of password‑manager cryptography are essential steps to mitigate potential credential theft and privacy erosion.