Notepad++ releases another patch following recent cyberattacks
Notepad++ has implemented additional security enhancements and cryptographic checks to strengthen its update process, which was recently exploited in a sophisticated espionage campaign that infected targeted users with malware.
The maintainer of Notepad++, Don Ho, released version 8.9.2 of the popular text and code editor.
The software will check two independent signatures and certificates during the update process. First, it will verify that the fetched update data file (XML) has a valid signature. Notepad++’s updater will then download the actual update executable and check its binary integrity. Ho compares this design to “a double-lock.”
“This release strengthens the weakest links in the Notepad++ update process,” Ho said in the release information.
Cybernews previously reported that hackers exploited the Notepad++ update mechanism to selectively target users for malware infection.
Later investigations revealed a massive hosting-level compromise and likely involvement by a Chinese state-sponsored group. Rapid7 Labs attributed the sophisticated hacking campaign to a Chinese threat actor known as Lotus Blossom.
The hackers first compromised the hosting server Ho used to deliver updates to Notepad++ users. This allowed the attackers to redirect their targets to download a compromised update package, infected with a custom backdoor. Notepad++ didn’t verify if the altered updates were valid.
Notepad++ also introduced other major reinforcements to its auto-updater called WinGUp. It lost libcurl.dll dependency to eliminate DLL sideloading risk, removed two unsecured curl SSL options, and restricted plugin management execution. A full list of changes is available on the community support page.
With this patch, Ho believes the vulnerabilities exploited by Chinese state threat actors are now fully addressed. Users should update Notepad++ to ensure they receive official updates.
Unlock exclusive Cybernews content on YouTube.
