notepad-plus-plus.org/news/v889-released/
Since you have to opt into tracking to read the article (which I think is illegal) here’s the source.
Notepad++ updater installed malware
Submitted 5 days ago by schizoidman@lemmy.zip to technology@lemmy.world
https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
Comments
LastYearsIrritant@sopuli.xyz 5 days ago
muusemuuse@sh.itjust.works 5 days ago
One of the few moments safari is the easier option…
-tap hide distracting items -tap the bullshit banner -it blows away dramatically
9bananas@feddit.org 4 days ago
ublock has the same function; it’s the thunderbolt icon, which let’s you just zap away whatever html element offends you!
…no fancy animation tho…is there a plugin that animates the ublock zapper? that would be very fun!
floofloof@lemmy.ca 5 days ago
Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code.
That doesn’t sound wise.
asbestos@lemmy.world 5 days ago
So the private key was left in the Github source code and nobody caught it? Or was it the public key? (which makes this statement way less impactful)
Samskara@sh.itjust.works 5 days ago
Private key probably. Only the public key is not enough to sign the package.
techt@lemmy.world 5 days ago
This is the explanation for why:
flamiera@kbin.melroy.org 5 days ago
OP, if people have to do the work for you in posting sources, consider this a learning lesson as to what not to do.
theherk@lemmy.world 5 days ago
Not accessible without accepting advertising cookies, like Healthline.
floquant@lemmy.dbzer0.com 5 days ago
Zap the overlay with uBlock
But yeah fuck the author and everyone else using the “pay or be tracked” scheme. If you want to show ads to non subscribers, fine. But there’s no reason to require tracking users to do so - if non-tracked ads are less profitable, take it up with the ad networks.
theherk@lemmy.world 5 days ago
Agreed in all accounts. I do use ublock on my laptop but not on mobile.
ren@reddthat.com 5 days ago
Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary – if such a warning pops up, users should be alarmed.
I don’t understand how this is relevant. Unless the attacker has either
(a) somehow acquired the private key of the cert
(b) replaced the cert delivered through the installer
A self signed cert isn’t any worse. Both of these attack vectors still work with a public root CA. Or maybe notepad++ just forgot to validate the self signed cert against the one they delivered through their sources, just accepting any non-expired cert? That’s just a bug.
JTskulk@lemmy.world 5 days ago
The updater for the open-source editor Notepad++ has installed malware on WINDOWS PCs. The Linux ecosystem doesn’t allow for this kind of network attack because of signing.
funkless_eck@sh.itjust.works 5 days ago
np++ isn’t on Linux I thought
bryndos@fedia.io 5 days ago
yeah there was 'notepadqq', but its not the same as ++.
Muehe@lemmy.ml 5 days ago
There are quite a lot of packages running it through wine, on AUR, as snap/flatpak, and probably more I didn’t see in my cursory search. So the question is does this exploit work on wine I guess.
Kazumara@discuss.tchncs.de 5 days ago
I don’t get how this way exploited in practise.
Even if the signatures on the downloaded packages weren’t checked properly, how would you modify the content of the XML file returned from notepad-plus-plus.org/update/getDownloadUrl.php?v… ? For that you’d have to break or MITM the TLS too, no?
The usual case for TLS MITM is when a company decides DPI is more important than E2E encryption and they terminate all TLS on the firewall, but if the firewall is compromised there would be much easier avenues of entry other than notepad++
SnotFlickerman@lemmy.blahaj.zone 5 days ago
This isn’t the first time Notepad++ was compromised, if I recall correctly, the first time was by a CIA backdoor.
floofloof@lemmy.ca 5 days ago
SculptusPoe@lemmy.world 5 days ago
I just updated through Ninite and it went to 8.8.9.
cerebralhawks@lemmy.dbzer0.com 5 days ago
Huh. Notepad++ is only for Windows?
I used to use EditPad when I used Windows. There was something that royally pissed me off about it, but I can’t recall now. I know there was kind of a shenanigans with the name. EditPad Lite was free and there was an EditPad Pro, but IIRC the free one was just fine for most people (and I do believe in paying for software you enjoy using). I dunno, it did something, but now, mostly I just remember it being very good.
I have a Mac now and we have TextEdit. It’s never made me want more from a notepad app. Notepad used to suck in Windows. We have it at work and I quite like it. It has Markdown support, but you can disable that if you want. It also has Copilot AI in it, but that can also be disabled. It has Dark Mode which is pretty much all I wanted from my notepad app. I actually quite like my Windows 11 setup at work, but I like my Macs at home a bit better. I also know I don’t have much room to criticise Windows if I’m not running Linux, and there’s no point in bragging about Linux from a Mint or Ubuntu installation; these days you kinda have to use Arch (which you built from source) to really call yourself a Linux user. The rest of us are just plebeians.
Of course if you’re using N++ as an IDE, that’s different. I don’t even want line numbers (visual distraction).
daggermoon@lemmy.world 4 days ago
I have it installed in Wine, I haven’t updated it in months though.
smeg@infosec.pub 5 days ago
tl;dr A network operator can perform a MitM attack on the built-in updater, telling it a new version is available at <malware URL> and then downloading and running the malware
HaraldvonBlauzahn@feddit.org 5 days ago
I would doubt that the average self-updating Windows program has better security.