Beaumont wrote:
If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property.
This traffic is supposed to be over HTTPS, however it appears you may be [able] to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.
The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.
Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources.
Beaumont published his working theory in December, two months to the day prior to Monday’s advisory by Notepad++. Combined with the details from Notepad++, it’s now clear the hypothesis was spot on.
Beaumont also warned that search engines are so “rammed full” of advertisements pushing trojanized versions of Notepad++ that many users are unwittingly running them inside their networks. A rash of malicious Notepad++ extensions only compound the risk.
He advised that all users ensure they’re running the official version 8.8.8.8 or higher installed manually from notepad-plus-plus.org.
Larger organizations that manage Notepad++ and update it, he said, should consider blocking notepad-plus-plus.org or block the gup.exe process from having Internet access. “You may also want to block internet access from the notepad++.exe process, unless you have robust monitoring for extensions,” he added, but cautioned “for most organisations, this is very much overkill and not practical.”
Screenshot
Notepad++ has long attracted a large and loyal user base because it offers functions that aren’t available from the official Windows text editor Notepad. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the alternative editor. Alas, like so many other open source projects, funding for Notepad++ is dwarfed by the dependence the Internet places on it. The weaknesses that made the six-month compromise possible could easily have been caught and fixed had more resources been available.
Leave a Reply