**Notepad++ Fixes Critical Updater Vulnerability that Allowed Malicious Update Hijacking**
Popular text editor Notepad++ has released an update to fix a critical vulnerability in its updater, which allowed attackers to hijack update traffic. The vulnerability, first reported by security researcher Kevin Beaumont, exposed users of the software to potential security incidents.
The issue was caused by weak file authentication, which allowed attackers to intercept and manipulate update files. According to Beaumont, several Notepad++ users had reported security incidents, with some even speculating that the attacks were targeted at telecom and finance firms in East Asia.
Beaumont's research revealed that the attackers were exploiting a vulnerability in Notepad++'s GUP/WinGUP updater. The updater contacts a Notepad++ URL, retrieves an update download link from a file called `gup.xml`, saves it to the user's temporary folder, and then executes it. If an attacker intercepts this traffic, they can alter the `
While downloads were signed, older versions of Notepad++ used a self-signed root certificate that was publicly available on GitHub, weakening validation. Because traffic to notepad-plus-plus.org is relatively rare, it's possible for attackers with sufficient resources to intercept and redirect this traffic at the ISP level.
Notepad++ 8.8.8 fixes the updater issue by forcing updates to download only from GitHub, making interception much harder. The update also includes a new security enhancement that addresses the hijacking concerns raised by Beaumont.
The exact mechanism of how attackers hijacked updater traffic in the wild is still unclear, but Beaumont speculates that they may have intercepted traffic at the ISP level to deliver malicious updates. Notepad++ has confirmed that its WinGUp updater was sometimes redirected to malicious servers, causing users to download compromised executables.
"The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file," reads the report published by Notepad++. "In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and execute an unwanted binary (instead of the legitimate Notepad++ update binary)."
The fix for the vulnerability is included in Notepad++ 8.8.8, which is available for download now. Users are advised to update their software as soon as possible to prevent potential security incidents.