8.8.2 - coming soon??
-
Just curious about 8.8.2 , will it be coming soon??
AFAIK the last update was more than 1 month ago.
It seems, to me, a LONG time between updates. -
@Murray-Sobol-1 said in 8.8.2 - coming soon??:
Just curious about 8.8.2 , will it be coming soon??
No.
-
@Murray-Sobol-1
In general you don’t need to guess, because Don Ho will typically announce that a release candidate is coming soon (as a courtesy to plugin developers) or that a release candidate is live. -
@Murray-Sobol-1 said in 8.8.2 - coming soon??:
AFAIK the last update was more than 1 month ago.
It seems, to me, a LONG time between updates.Not really. Except when there’s a major regression, anything less than 1 month is unusual. And historically, it’s been every month or two – more often, once a month; but when he’s focused on feature additions rather than bugfixes, the delays are often longer. So being “a long time”, by your definition, is good news, because it means there aren’t many bugs and there are more chances for cool new features to be added.
Though I’m not as confident as @Karlo-F that it’s not “soon”, depending on what you mean by soon. It wouldn’t surprise me if we saw the 1-week courtesy announcement in the near future… but it also wouldn’t surprise me if the next version weren’t until the end of this month or early July.
-
@PeterJones, that’s the holy grail of the daily coding grind: no open issues and fun stuff on the roadmap!
-
See https://cybersecuritynews.com/notepad-vulnerability/
“Notepad++ Vulnerability Let Attacker Gain Complete System Control – PoC Released”
… “Notepad++ developers have responded swiftly by releasing version 8.8.2 to address this critical vulnerability.”
https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-9vx8-v79m-6m24 -
@G-N said in 8.8.2 - coming soon??:
If your concern is only the security and have the N++ already installed, I recommend to not update to the upcoming 8.8.2 version (as it will actually lower your security a bit, more below).
The reported vulnerability is not in the Notepad++ app but in its installer. So if one has already the N++ app installed, there can be only these two options:
-
Most probably everything is ok.
-
Your comp has been unfortunately already compromised (as an evil hacker or “social engineer” somehow managed to get into the same dir, from where you ran the elevated N++ app installer, a maliciously modified system regsvr32.exe fake substitute. In this case upgrading to v8.8.2 does not solve your problem even if the reported vulnerability has been already fixed for that version.
And now to - why the upgrading to the upcoming v8.8.2 lower your security?
-> This is an unfortunate timing - the N++'s digital certificate for signing its executable code (and therefore including also its own installer) has just expired and there is a problem with its renewal (more info here). So the upcoming v8.8.2 will most probably go out unsigned. -
-
@xomx said in 8.8.2 - coming soon??:
Your comp has been unfortunately already compromised
Yeah, this seems to be a common pattern in most of the recent “Notepad++ Vulnerabilities” that have been published: they involve planting some malicious file in just the right spot on your computer, and then using Notepad++ or its installer to help execute that malicious file. If I’m a bad guy with unrestricted access to some schmuck’s computer, why would I condition my ruination of their life on them using Notepad++?
-
@Mark-Olson said in 8.8.2 - coming soon??:
if I’m a bad guy with unrestricted access to some schmuck’s computer, why would I condition my ruination of their life on them using Notepad++?
To smear N++'s good name in the process? I dunno.
Personally, I’ve never seen the benefit of all the signing of applications – and especially all of the rigamarole of N++ checking signatures. If the government-level agency or a determined power-hacker is out to get you specifically, the signatures won’t do anything to stop it.
At the very simplest, if they can access your computer and inject a bad notepad++.exe or nppPluginList.dll into your UAC-protected program files directory, then they have enough privilege to also insert a new trusted root-level certificate in your UAC-protected certmgr, and once there is a trusted root certificate, anything that the nefarious individuals signed with a signing-cert derived from that chain will also be trusted. And honestly, what normal user, or even semi-power user like me, follows the cert chain all the way from the signed app up to the Trusted Root Certificate in their certmgr, and confirms that they know and trust the specific authoritative certificate in their Trusted Root Certificate? Every time they run the app (because the injection of the bad exe or dll could happen at any time, not just at install)? When i just took a look at the various certs in that section, I recognize DigiCert, Comodo, GlobalSign, and GoDaddy… and by running Windows, I presumably “trust” Microsoft to a certain extent. But there are a lot in there that I know nothing about; and I’ve never checked to see whether some or all of the signed apps go to any of those certs that I don’t know the provinence on.
As far as I can tell, all signed apps give you is assurance that “this app was signed by someone who appears to have permission to sign apps”. As far as feeling secure – I feel much better knowing that my router provides a good firewall, and that when I download from a known/trusted website via an HTTPS connection, I can be confident that the bits that I receive on my end must be the same as the bits on the trusted source end; the app also being “signed” doesn’t really increase my trust in the situation.
-
@Mark-Olson said in 8.8.2 - coming soon??:
If I’m a bad guy with unrestricted access to some schmuck’s computer, why would I condition my ruination of their life on them using Notepad++?
The attacker might not have admin rights. Since the Notepad++ installer itself would be genuine, validation will succeed and its request for admin rights is likely to be approved. Since the installer is not likely to be saved in a protected folder, an unprivileged user could put the modified system dll in the folder from which the installer will be run. The vulnerability is that the installer doesn’t check to see that it loads dlls only from reliable locations.
The attacker could even be a user who is authorized to use the computer, but doesn’t have admin rights (and would like to have them).
Imagine that one of those sketchy “Download” advertisements on the release page downloads a malicious dll and then says the download failed. Clueless user then finds the right download, downloads it to the same folder without checking for previous downloads. User then executes the installer, and since it passes validation (since it is unmodified) allows it to “make changes to my computer.” It loads the malicious dll, which does… whatever it does. (I doubt it would be that simple, but you get the idea.)
-
@PeterJones said in 8.8.2 - coming soon??:
I’ve never seen the benefit of all the signing of applications
I hate the way it makes second (or third, or twentieth) class citizens of independent developers and open source projects.
At the same time, I realize that like most security protocols, it’s not designed for people like us. It’s designed to make it more difficult for unscrupulous rogues to take advantage of the careless and clueless.
There is a lot more nasty, and a lot more stupid, out there than most of us realize. Typical computer security exists to reduce the number of destructive collisions between the two.
Edit to add: Signing doesn’t guard against malicious code, but it makes it practical for Windows to put up warnings (which might be blocks for non-admin users) for code that isn’t signed. In turn, that makes it harder for fly-by-night bad guys to get past clueless users. Open source projects and individual developers are collateral damage — how important could anything possibly be if it doesn’t come from a corporation that makes lots of money?
-
@PeterJones said in 8.8.2 - coming soon??:
To smear N++'s good name in the process?
That’s it. And also publicity + a “security expert” wannabe desire.
Sometimes I feel like the people who write about such things are simply paid by the word count.But in this case @Coises has a point, it could be a real problem:
@Coises said in 8.8.2 - coming soon??:
The attacker might not have admin rights. Since the Notepad++ installer itself would be genuine, validation will succeed and its request for admin rights is likely to be approved. Since the installer is not likely to be saved in a protected folder, an unprivileged user could put the modified system dll in the folder from which the installer will be run…
The vulnerability is that the installer doesn’t check to see that it loads dlls only from reliable locations.
If you like to read something more about these hijacking techniques - here is a very good comment about a similar stuff from Anders (I think it’s a NSIS co-author itself).
-
@Mark-Olson said in 8.8.2 - coming soon??:
If I’m a bad guy with unrestricted access to some schmuck’s computer, why would I condition my ruination of their life on them using Notepad++?
In my 1st comment here I did not mean to belittle the installer security vulnerability found. I wrote
from where you ran the elevated N++ app installer,
I rather meant by my “Your comp has been unfortunately already compromised”, as in that case the user’s comp has been already infected from that fake regsvr32.exe file loading & executing. @Coises is right.
-
@Coises said in 8.8.2 - coming soon??:
Imagine that one of those sketchy “Download” advertisements on the release page downloads a malicious dll and then says the download failed. Clueless user then finds the right download, downloads it to the same folder without checking for previous downloads.
I personally have little sympathy for anyone who still gets their software from a website. With a package manger like WinGet or Scoop, you can have an evergreen portable edition in a user-local path. And you can still have context menu entries — scoped to
HKEY_CURRENT_USERby default — for the complete look-and-feel of a “full” installation without needing to run as admin.Of course that still leaves the problem of installing plugins with WinGUP, which insists on having admin privileges no matter what folder the download is ultimately going into. But since WinGUP is just a thin GUI on top of
curl.exe, you could script a more secure replacement in Python and never miss it. -
@rdipardo said in 8.8.2 - coming soon??:
I personally have little sympathy for anyone who still gets their software from a website. With a package manger
Huh. I don’t think I’ve ever used a package manager. I don’t even like to use the update built in to software; when the software notifies me that there is an update — or when I find out about it some other way — whenever possible, I download the latest offline installer, save it in my “Software\Current” directory, and move the previous installer to “Software\Old”; that way I can always reinstall an older version that worked for me if something gets messed up, or the current version if I have to rebuild.
(Well, I do let Firefox and Thunderbird update themselves because they update so damn often; and I think they no longer make offline installers available. I’ve been letting Visual Studio update itself, and I should probably reexamine that; but I think it, too, may lack a true offline installer.)
I’m sure Microsoft would love to make Windows like an iPad where you’re trapped within the confines of the “Windows Store”; for my part, I’m glad Windows’ history has made that sort of restriction unacceptable… so far.
