Beaumont wrote:
For those who can intercept and alter this traffic, you possibly can redirect the download to any location it appears by changing the URL within the property.
This traffic is alleged to be over HTTPS, nonetheless it appears chances are you’ll be [able] to tamper with the traffic should you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.
The downloads themselves are signed—nonetheless some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.
Because traffic to notepad-plus-plus.org is fairly rare, it could be possible to take a seat contained in the ISP chain and redirect to a special download. To do that at any form of scale requires a variety of resources.
Beaumont published his working theory in December, two months to the day prior to Monday’s advisory by Notepad++. Combined with the main points from Notepad++, it’s now clear the hypothesis was spot on.
Beaumont also warned that search engines like google and yahoo are so “rammed full” of advertisements pushing trojanized versions of Notepad++ that many users are unwittingly running them inside their networks. A rash of malicious Notepad++ extensions only compound the chance.
He advised that every one users ensure they’re running the official version 8.8.8.8 or higher installed manually from notepad-plus-plus.org.
Larger organizations that manage Notepad++ and update it, he said, should consider blocking notepad-plus-plus.org or block the gup.exe process from having Web access. “It’s possible you’ll also need to block web access from the notepad++.exe process, unless you may have robust monitoring for extensions,” he added, but cautioned “for many organisations, this may be very much overkill and never practical.”
Screenshot
Notepad++ has long attracted a big and constant user base since it offers functions that aren’t available from the official Windows text editor Notepad. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the choice editor. Alas, like so many other open source projects, funding for Notepad++ is dwarfed by the dependence the Web places on it. The weaknesses that made the six-month compromise possible could easily have been caught and stuck had more resources been available.
