A Google security researcher, using simple prompts with the Claude AI assistant, has discovered critical remote code execution (RCE) vulnerabilities in the Vim and GNU Emacs text editors. The flaws allow an attacker to run arbitrary code on a victim's machine simply by tricking them into opening a malicious file. Patches for both widely used applications are now available.
The vulnerability in Vim, tracked as CVE-2024-3359, is a sandbox bypass related to how the editor processes "modelines." These are special commands embedded in a file's comments that can set local editor options. While this feature is disabled by default in recent versions, users with older configurations or those who have manually enabled it are at risk. A patch was committed on March 28, 2024.
The Emacs flaw, CVE-2024-3094, affects the popular Org Mode extension. It allows a specially crafted .org file to bypass the security prompt that normally asks for user confirmation before executing embedded code blocks. This could lead to silent code execution as soon as a file is opened. A fix for this issue was released on April 10, 2024.
The researcher, who goes by the handle "xssmatrix," reported that the discovery process was surprisingly straightforward. "It's insane how easily it found these bugs," they stated, explaining they prompted the AI to find vulnerabilities and then provided it with the source code. This event highlights the growing capability of AI models to perform complex code analysis that can uncover serious security flaws. While this presents a powerful new tool for security researchers to find and fix bugs, it also means threat actors could use the same technology to discover zero-day exploits more efficiently.
All users of Vim and GNU Emacs are advised to update their installations to the latest versions to protect themselves from these vulnerabilities.
