"Version 8.9.2 adds verification of the signed XML returned by notepad-plus-plus.org. Combined with verification of the signed installer, introduced in version 8.8.9, the update process now validates both the instructions and the payload - the basis for the "unexploitable" claim. According to the project's author, a state-sponsored cybercriminal compromised the editor's update service. Security researchers attributed the attack to a Chinese government-linked espionage crew called Lotus Blossom."
"The author also noted additional hardening for the auto-updater, WinGUp. The libcurl.dll dependency was removed "to eliminate DLL side-loading risk," plugin management execution has been restricted to the program signed with the same certificate as WinGUp, and two unsecured cURL SSL options, CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, have been removed. The author added: "Of course, it's always possible to exclude the auto-updater during the UI installation, or to deploy the MSI package using the following command: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1." Updating to the latest version would therefore seem prudent."
Version 8.9.2 adds verification of the signed XML returned by notepad-plus-plus.org and, combined with signed installer verification introduced in v8.8.9, validates both update instructions and payload. A state-sponsored cybercriminal previously compromised the editor's update service, and security researchers attributed the attack to a Chinese government-linked espionage group called Lotus Blossom that redirected some update traffic to attacker-controlled servers. Hardened releases in December removed a self-signed certificate and strengthened the WinGUp auto-updater by removing libcurl.dll to avoid DLL side-loading, restricting plugin execution to programs signed with the same certificate, and removing insecure cURL SSL options. Updating is recommended.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]