@SammyBolt said in autoupdater and connection temp.sh:
Regarding the WinGup fix in v8.8.8, Was the temp.sh (or similar) exfiltration vector reported in v8.8.4 possible on a clean, official installation of Notepad++?
The temporary fix prevents the hijacking attempts that redirect to the domain other than github.com. However, it cannot protect against malware that is hosted on github.com.
The full fix will be included in the upcoming version, as mentioned below.
You mentioned the fix landed in v8.8.8, but can you confirm if this vulnerability was introduced specifically in v8.8.4 (due to changes in the updater), or were versions prior to 8.8.4 (like 8.8.2/8.8.3) also susceptible to this specific gup.exe hijacking technique? What about 8.8.5-8.8.7?
We still cannot determine the exact method used by the attacker. But it is not a case of “a vulnerability introduced in version X”.
For users currently running v8.8.4 who want to verify they haven’t been impacted before updating: Aside from monitoring network traffic for temp.sh, are there specific things we can check for, like modifications to the update xml file or other modified files/logs in the program directory?
I do not have complete information to provide specific advice. However, here’s an article from a security expert who appears to have investigated this issue:
https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
My suggestion is download & install v8.8.8 manually from the official website.
The upcoming release v8.8.9 will be available in a few days. In this release the code signing certificates will be verified on the downloaded binary before update installation.
Then please update to v8.8.9, in which the vulnerability is fully addressed.
