The open-source code editor Notepad++ is bolstering its security after the tool was exploited for months by Chinese hackers.
Notepad++ announces a new release of the text and code editor. Version 8.9.2 is designed to provide extra security and arrives, not coincidentally, a few weeks after it was revealed that Notepad++ was exploited for months by Chinese hackers.
A double lock on the door
Notepad++ will henceforth use a ‘double lock’ principle to prevent this from happening again. Two independent signature and certificate verifications are now performed. An initial verification of the signed XML is added to complement the verification of the signed installer from github.com, which was already implemented in version 8.8.9. This should lead to a more robust update process that is ‘effectively not exploitable,’ according to Notepad++.
The update includes additional security measures. Two insecure CURL SSL options are being cleaned up, and the dependency on libcurl.dll has been removed to reduce the risk of DLL sideloading. The execution of plugin management is restricted to programs signed with the same certificate as the WinGUp auto-update system.
Chinese hackers
Several security gaps in Notepad++ were recently exposed. Chinese hackers exploited the code editor for months as a backdoor to install malware on users’ devices. It took nearly half a year before Notepad++ managed to get its environment back in order. Notepad++ has patched the vulnerabilities and also decided to switch hosting providers following the incident.
This update closes the backdoors and should make it harder to exploit the editor further. Notepad++ advises installing the update as soon as possible, and only through the official channel. The open-source code editor is available on Windows in 90 languages.