“The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”
Fuckall they could really have done about it other than changing host providers, which they mentioned they already have as a result.
that’s a brutal hack. so they hacked the hosting update server, made it monitor incoming IPs, and then selectively uploaded a compromised backdoor update based on IP only to certain computers so it would go undetected longer?
it’s awful, but technically impressive that someone could remotely hack the server like that and set up such a complex system to target IPs… unless it was a state actor that compelled the server company to provide local access, in which case it’s less impressive.
It’s astounding this wasn’t done years sooner to be honest. I mean, signing software with keys is not something invented recently. Not doing so is akin to storing passwords in plain text.
I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn’t have to deal with Microsofts method of signing software, but that kind of backfired on them.
No, because you wouldn’t be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft’s security software in the process.
I meant the old .exe would check the signatures before initializing the official Windows way to update. Effectively have this run whenever you start the application:
main() {
if (update_available()) {
exe_path = download_update()
if (signature(exe_path) == SIGNATURE) {
install_update(exe_path)
restart()
} else {
put_up_a_warning_or_something()
delete(exe_path)
}
}
# Rest of the application# ...
}
The only thing I have no idea how to implement would be the install_update(path) function. But surely this is one way to install updates without signatures recognized by Microsoft, right?
And if for some reason you aren’t allowed to sign the .exe because this breaks something, then place an unsigned .exe in a signed zip folder.
How many times has this happened to Notepad++ now?
Once
“The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”
Fuckall they could really have done about it other than changing host providers, which they mentioned they already have as a result.
that’s a brutal hack. so they hacked the hosting update server, made it monitor incoming IPs, and then selectively uploaded a compromised backdoor update based on IP only to certain computers so it would go undetected longer?
it’s awful, but technically impressive that someone could remotely hack the server like that and set up such a complex system to target IPs… unless it was a state actor that compelled the server company to provide local access, in which case it’s less impressive.
Sign the updates before uploading them so they can’t be faked?
It’s astounding this wasn’t done years sooner to be honest. I mean, signing software with keys is not something invented recently. Not doing so is akin to storing passwords in plain text.
I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn’t have to deal with Microsofts method of signing software, but that kind of backfired on them.
Yes, but from what I understand this refers to the automatic update functionality and not Microsoft’s own .exe signature verification thing.
Couldn’t you do it like this:
That should work, shouldn’t it?
No, because you wouldn’t be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft’s security software in the process.
I meant the old .exe would check the signatures before initializing the official Windows way to update. Effectively have this run whenever you start the application:
main() { if (update_available()) { exe_path = download_update() if (signature(exe_path) == SIGNATURE) { install_update(exe_path) restart() } else { put_up_a_warning_or_something() delete(exe_path) } } # Rest of the application # ... }The only thing I have no idea how to implement would be the
install_update(path)function. But surely this is one way to install updates without signatures recognized by Microsoft, right?And if for some reason you aren’t allowed to sign the .exe because this breaks something, then place an unsigned .exe in a signed zip folder.
Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.
Or tarnish its name associating it with malware and bad actors, who knows?
Cryptography is hard and programmers are notoriously really really really bad at it.