Beaumont wrote:
If you happen to can intercept and alter this visitors, you may redirect the obtain to any location it seems by altering the URL within the property.
This visitors is meant to be over HTTPS, nonetheless it seems chances are you’ll be [able] to tamper with the visitors in the event you sit on the ISP degree and TLS intercept. In earlier variations of Notepad++, the visitors was simply over HTTP.
The downloads themselves are signed—nonetheless some earlier variations of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior launch, this was reverted to GlobalSign. Successfully, there’s a state of affairs the place the obtain isn’t robustly checked for tampering.
As a result of visitors to notepad-plus-plus.org is pretty uncommon, it might be potential to sit down contained in the ISP chain and redirect to a special obtain. To do that at any type of scale requires numerous sources.
Beaumont revealed his working idea in December, two months to the day previous to Monday’s advisory by Notepad++. Mixed with the small print from Notepad++, it’s now clear the speculation was spot on.
Beaumont additionally warned that search engines like google and yahoo are so “rammed full” of ads pushing trojanized variations of Notepad++ that many customers are unwittingly operating them inside their networks. A rash of malicious Notepad++ extensions solely compound the danger.
He suggested that every one customers guarantee they’re operating the official model 8.8.8 or greater put in manually from notepad-plus-plus.org. Since he penned that recommendation, Notepad++ builders have urged all customers to make sure they’re operating 8.9.1 or greater.
Bigger organizations that handle Notepad++ and replace it, he mentioned, ought to take into account blocking notepad-plus-plus.org or block the gup.exe course of from having Web entry. “You might also wish to block web entry from the notepad++.exe course of, except you might have sturdy monitoring for extensions,” he added, however cautioned “for many organisations, that is very a lot overkill and never sensible.”
Notepad++ has lengthy attracted a big and constant person base as a result of it gives features that aren’t obtainable from the official Home windows textual content editor Notepad. Latest strikes by Microsoft to integrate Copilot AI into Notepad have pushed additional curiosity within the various editor. Alas, like so many different open supply tasks, funding for Notepad++ is dwarfed by the dependence the Web locations on it. The weaknesses that made the six-month compromise potential may simply have been caught and stuck had extra sources been obtainable.
