If you're using Notepad++, you probably want to read this before doing any kind of update.
Notepad++ upgrade process hacked to install Malware
- Thread starter Mr Jack
- Start date
Associate
- Joined
- 23 Apr 2020
- Posts
- 265
- Location
- Close enough to OcUK that my wallet hurts
From the Phil Space style article it suggests that the vector has only been seen in Asia?
So far that seems to be the case, but that doesn't mean you shouldn't be careful about it when upgrading yourself.
Associate
- Joined
- 5 Mar 2008
- Posts
- 1,022
- Location
- London
eek, thanks for the heads up
I don't even have the auto updater installed so no beef here lol, manually installed the latest version and kept the auto updater option unticked again. I don't auto update anything, manual only.
winget upgrade --all
ftw.
winget upgrade --all
ftw.
Last edited:
Not as fast or performant for large files.
Yeah that's really not an issue for me lol. I bet you're talking ms.
Depends, I usually look at large log files in MBs. I us VSCode for coding mainly and never do that with Notepad++.
VSCode I'll keep it open longer and have a workspace open, but Notepad++ gets opened and closed lots of times and is faster to startup (hence why it's a Notepad enhancement).
I always thought about the updater being a potential risk but it seems that the fix commit doesn't fully fix the issue as someone posted that it's still susceptible to path traversal (../../..) to allow malicious files to be downloaded from github instead. Less severe but still vulnerable.
Yeah sorry I was completely tunnel visioned on my own use. I liked Notepad++ because if I recall it remembered tabs you had open.
Was useful when editing a cfg for random games etc.
It does, I have many of my notes left around in tabs on it. Hopefully a crash doesn't wipe it out
VSCode has the same thing but is a lot more integrated for coding.
I notice that the W11 Notepad has copied that and some other functionality too. I will still keep using it (N++) though since the regex search is also a bonus.
CFG files are exactly where I started with it too. I used to use it to modify Xfire (a very old in-game chat app) to disable scanning for games upon start up.
Blunt assessment here: total non-story....
Someone performed a highly targeted man-in-the-middle attack to insert something else into the update chain. That's got to be at the carrier level unless the user was already compromised (which somewhat makes this pointless)
Sure, the hardening is nice in the Notepad++ updater, but this has only gained any traction due to the popularity of Notepad++.
If you've got that sort of access, it's trivial to move on to a different application vector not performing code signing checking, or just bypass the application entirely & serve your choice of nasty via the browser
Someone performed a highly targeted man-in-the-middle attack to insert something else into the update chain. That's got to be at the carrier level unless the user was already compromised (which somewhat makes this pointless)
Sure, the hardening is nice in the Notepad++ updater, but this has only gained any traction due to the popularity of Notepad++.
If you've got that sort of access, it's trivial to move on to a different application vector not performing code signing checking, or just bypass the application entirely & serve your choice of nasty via the browser
Soldato
- Joined
- 21 Jan 2003
- Posts
- 7,160
- Location
- Northamptonshire
Always good to update though 