In response to impartial researcher Kevin Beaumont, three organizations instructed him that gadgets inside their networks that had Notepad++ put in skilled “safety incidents” that “resulted in arms on keyboard risk actors,” that means the hackers have been in a position to take direct management utilizing a web-based interface. All three of the organizations, Beaumont stated, have pursuits in East Asia.
The researcher defined that his suspicions have been aroused when Notepad++ model 8.8.8 launched bug fixes in mid-November to “harden the Notepad++ Updater from being hijacked to ship one thing… not Notepad++.”
The replace made adjustments to a bespoke Notepad++ updater generally known as GUP, or alternatively, WinGUP. The gup.exe executable accountable experiences the model in use to https://notepad-plus-plus.org/replace/getDownloadUrl.php after which retrieves a URL for the replace from a file named gup.xml. The file specified within the URL is downloaded to the %TEMP% listing of the machine after which executed.
Beaumont wrote:
Should you can intercept and alter this site visitors, you may redirect the obtain to any location it seems by altering the URL within the property.
This site visitors is meant to be over HTTPS, nevertheless it seems you could be [able] to tamper with the site visitors for those who sit on the ISP degree and TLS intercept. In earlier variations of Notepad++, the site visitors was simply over HTTP.
The downloads themselves are signed—nevertheless some earlier variations of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior launch, this was reverted to GlobalSign. Successfully, there’s a scenario the place the obtain isn’t robustly checked for tampering.
As a result of site visitors to notepad-plus-plus.org is pretty uncommon, it could be attainable to sit down contained in the ISP chain and redirect to a distinct obtain. To do that at any type of scale requires lots of assets.
Beaumont printed his working idea in December, two months to the day previous to Monday’s advisory by Notepad++. Mixed with the small print from Notepad++, it’s now clear that the speculation was spot on.
