@Bhaalthazar said in Security of Legacy Notepad++ Versions (CVE-2025-49144):

patching older vulnerable versions

It could be fun, now without the public CA cert available…

@Brian-Dickens

https://community.notepad-plus-plus.org/post/102220

As I said, without the N++ digital signature, stupid AVs go nuts.

The number of false positives from AVs is so high because in the past, many attackers probably have also used the free, open source NSIS for their purposes.

Here’s my reply:
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16638#issuecomment-2947240947

@Emmanuel-Meekers
AFAIK there is no technical means to limit the number of plugins a user is able to install. You can only remove the capability to install plugins at all.

You could do a survey which plugins your employees need. There can be different needs, e.g. technical staff likely needs other plugins than employees that ar more involved in administrative tasks. Then you can install these plugins on the employee’s machines.

After that you need to rename or delete <install-directory>\updater\GUP.exe to prevent users from installing any other plugins. As long as your employees don’t have admin access to Notepad++'s install directory, they are not able to revert these changes.

The disadvantage is that your users neither will be able to update Notepad++ itself nor the installed plugins. This is something your ICT department has to do.

@Alan-Kilborn So where should this be discussed then?

I would greatly appreciate if anyone did know of some little FOOS tool/script like I mentioned, more reliable than what I’ve hacked together, to help me secure my friends cyber security.

Can people here DM me suggestions?

If there was a discord this could be spun off into a thread.

I’m not sure if it matters to anyone but the suggestions and discussion so far have been really helpful and spot on solving the problem which I’m still using NPP for BTW (such as displaying instructions as we just discussed).

For some perspective, the person I’m trying to help recently lost 7kg in just over a week due to stress and worry from being targeted and harassed by some hacker/scammer that’s been messing with then, trying to take accounts etc for a while now.

I agree it’s not on strictly topic and I don’t expect to discuss this here, it’s just without at least giving a way to continue the discussion elsewhere, given the fact that it’s still directly addressing the goal I initially stated, and the potential consequences to people, it seems kinda callous to just stomp on it like we’re posting cat memes.

So how and where should this be continued, or is that irrelevant?

@Izzy-Gonzalez said in Notepadd++ General version update function:

Is there any way to allow a normal user to update the software without having to provide the user admin rights to the local PC?

Microsoft has defined C:\Program Files\ (and equivalent, though I’ll use that as the generic path going forward in this post) as requiring UAC (elevated privileges, or “Admin privileges”). If someone installs Notepad++ into C:\Program Files\Notepad++\, then it will require admin rights (unless you have disabled UAC on your PC).

If you cannot disable UAC requirements, you could try changing the permission of the C:\Program Files\Notepad++\ directory (and all subdirectories) – which will require UAC/Admin once to be able to change the permissions, but should successfully update thereafter. (That’s what I do on my work machine, since I frequently update Notepad++ or its plugins, and got tired of entering my password every time I did.)

If changing permissions of the installation directory is not something you’re interested in, you might consider installing Notepad++ to a location where you do have write access, instead of in the default C:\Program Files\Notepad++\ – maybe you could create a directory called C:\LocalApps\, and install Notepad++ as C:\LocalApps\Notepad++\ . As long as you installed it as your local, non-privileged user and have appropriate permissions in the C:\LocalApps\ hierarchy, you shouldn’t be pestered for Admin rights on future updates.

@Paolo-Monni ,

I found this comment from Don which indicates that DigiCert donated a certificate in 2022. (And previously in v7.7 release notes in 2019.)

So yes, it’s a free certificate donated by the certificate authority. I don’t know of any cheap sources for mere mortals

Update: a quick web search found this reddit discussion which had discussions about a few options – it started 3 years ago, but there have been a few more-recent comments, and it at least gives a starting point for future research.

@Shravan-Joshi ,

When are you planning …

We at this Forum are the Community of Notepad++ users, not the developer. We are not planning to update anything.

This is apparently a rather new issue – it was just publicly reported to the author yesterday. But you can watch that official issue to see when something happens with it.

@saladah0330 - I uploaded Notepad++ v8.6.7 to https://www.virustotal.com/gui/home/upload and that web site says Zillya / Trojan.Rozena.Win32.219427

If you search the Notepad++ forums for Zillya you will find it’s a longstanding issue. As AV vendors do not document the details of their detection process we don’t know why that particular scanner complains about Notepad++.

Notepad++'s triggering for updates process is not related to this issue. The installer package that you download is exactly the same regardless on if a download was before or after is triggered for updates.

It’s a puzzle that Zillya did not complain about the file you downloaded. If you still have the installer.exe file see if Zillya still does not complain.

The size of your file should be one of:

4,701,256 bytes for npp.8.6.7.Installer.exe 4,854,296 bytes for npp.8.6.7.Installer.x64.exe

Check your web browser’s download history and get the exact URL that you downloaded the installer from. It should be either

https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.6.7/npp.8.6.7.Installer.x64.exe https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.6.7/npp.8.6.7.Installer.exe

The download page at https://notepad-plus-plus.org/downloads/v8.6.7/ has GPG signatures that can be used to see if the exe you have in hand matches what Notepad++'s developer intended you have…

@bitRAKE
Good catch! I already an issue in the mimeTools repo referencing that article.

Of course, if it is, as you say, not an issue with the official plugin but rather an issue with Notepad++ loading a malicious DLL of the same name, I guess there’s nothing Don Ho can do about the issue.

@andy778 ,

Could you put a little more effort into explaining what you’re talking about? As it is, I had to do research on my own to figure out whether you were just an incompetent spammer, or whether you were actually trying to have a Notepad++ related conversation…

I had never heard of the OpenSSF Scorecard before your post, though I did a bit of digging after.

It doesn’t seem to be just spam, since that tool is at least mentioned/described by the US Cybersecuirty & Infrastructure Security Agency (https://www.cisa.gov/resources-tools/services/openssf-scorecard)

I found that https://securityscorecards.dev/ describes how to run it, either from a GitHub action or from a command line, but the command line requires an environment I don’t have immediate access to, so I cannot see how the results might be presented.

Some possible discussion points, assuming you were willing to provide more information:

A score alone tells us nothing, especially if we know nothing about the service. Is it allowed by the license of that software to actually share the results (as more than a meaningless “aggregate score”)? (Given it’s for scoring FOSS projects, I would assume that the results were Free and Open as well.) If it is allowed, and you want to spark discussion, you need to share more of the results, so there’s actually something to talk about.

What kinds of scores do other comparable, volunteer-only, 0-budget OSS projects get?

All the environments for running the tool seem to be non-Windows-specific (Homebrew is Mac, AFAIK; Docker is for mixed environments, and “Nix” is presumably a derivative of “*nix”, which is the generic “Unix/Linux/similar” term [though I had never seen it without at least the splat]). But given that none of those is Windows-specific, is OpenSSF scorecard actually capable of meaningfully scoring a Win32 project? Or does OpenSSF subtract points for just using a non-open-source environment like Windows?

If you’re trying to convince the Developer that the OpenSSF needs to be run automatically as a GitHub Action, you won’t be able to do that here, as he doesn’t read random posts in the Community Forum. But if you can show the fellow users that it might be a useful tool, which brings up actionable points with something more than a meaningless number, we might encourage you to put in an official feature request to add an Action for this tool (as the Developer has shown, for example with the EU-FOSSA review a few years ago, that he is willing to entertain Open Source reviews and the inputs they provide).

These were paid ads… malware developers sometimes buy advertising on Google

@mkupper That also makes sense. Thank you for the clarification and possible reasons for this occurring! I really do appreciate it.

The issue has been reported to the developer. It is up to him when it gets fixed.

The developer has committed a fix, updating to curl 8.4.0. The new libcurl.dll should be included in the next version of Notepad++ (presumably to be named v8.5.9).

Good catch!

I think this page on the Developer Program Policy for impersonation might cover this.

Quoted from the page (with emphasis on the item I think those apps violate):

Impersonation

We don’t allow apps that mislead users by impersonating someone else (for example, another developer, company, entity) or another app. Don’t imply that your app is related to or authorized by someone that it isn’t. Be careful not to use app icons, descriptions, titles, or in-app elements that could mislead users about your app’s relationship to someone else or another app.
Examples of common violations

Developers that falsely imply a relationship to another company / developer / entity / organization.

The developer name listed for this app suggests an official relationship with Google, even though such a relationship doesn’t exist.

Apps whose icons and titles are falsely implying a relationship with another company / developer / entity / organization.

The app is using a national emblem and misleading users into believing it is affiliated with government.

The app is copying the logo of a business entity to falsely suggest it is an official app of the business.

App titles and icons that are so similar to those of existing products or services that users may be misled.

I for one am going to flag those apps because of the icon/title collisions.

@Mark-Olson said in CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166:

Just want to observe that it looks like fixes have finally made it into master:

And into v8.5.7 RC, so the fixes will be in the next release in the very near future.

@Lou-Thomas said in Data from closed secure drive displayed in newly-opened Notepad++:

It seems that by design Notepad++ saves the content of such unsaved buffers, so perhaps that behavior was inappropriately applied somehow to files that were no longer available in their original locations when Notepad++ was freshly opened.

It’s not “inappropriately”. It’s working as designed. When you have the setting Settings > Preferences > Backup > ☑ Enable session snapshot and periodic backup, Notepad++ saves a copy of every edited-but-not-saved tab into the listed backup directory. It does not care whether there’s a file on the filesystem or not. If you exit when your “secure” file is edited but not saved, then (1) the copy on the “secure drive” will not be saved to the most recent state, so the real file will not be updated, and (2) the backup copy will be in Notepad++'s directory. When Notepad++ re-runs, it will see you had an unsaved document, and will open with the copy from the backup – it does not care whether that backup maps to a real file or not. (If it did, then the primary use for that feature – saving unnamed new 1-style files that have never had a filesystem name applied yet – would not work.)

If you don’t like that it’s storing the unsaved contents of documents in the backup drive, you can turn off the setting I indicated. (There’s no way to get a mix of the two behaviors; either all open tabs will have unsaved changes stored in backup when that option is on, or no open tabs will have unsaved changes stored in backup with that option is off.)

Of course if this behavior is confirmed it could result in secure data being unintentionally exposed.

If you deal with secure data, then onus is on you to understand how the applications you are using to handle that data deal with the data, and make sure your workflow with those applications does not violate your security protocols. Notepad++ cannot know and protect against every possible security protocol out there. Notepad++'s handling of backups and unsaved files is well documented, both here in our backup FAQ and in the npp-user-manual.org website that’s linked from Notepad++'s ?-menu Notepad++ Online User Manual (specifically, the Preferences > Backup section)