Do I need to update?
-
Hello,
I am a bit concerned about the security flaws that my current version has, but I(at least according to what I have seen in the settings) have disabled the auto updater since install and do not intend to use it.
I wanted to update to the newest version, but it appears that I have to reinstall it, basically. Since I do not want to keep the settings and stuff, I kinda rather not do that.
Question is, do I need to update? Basically, is it possible for hackers to use the old version that I have in the future to do something?
Sorry if it is a basic and dumb question, I only use the program for taking notes and am not a tech guy.
thanks in advance -
Sorry, your phrasing is a bit confusing to me.
I wanted to update to the newest version, but it appears that I have to reinstall it, basically. Since I do not want to keep the settings and stuff, I kinda rather not do that.
Question is, do I need to update?In your mind, is “update” different than “reinstall”?
In my mind, if they are different, then “update” would mean “just use the ? menu’s Update Notepad++ entry”, whereas “reinstall” would mean uninstall the old, then download and run the installer for the new.
But in this case, you will get the security enhancements whether you (1) update using ? > Update Notepad++, or whether you (2) manually download the installer and run it without uninstalling first, or (3) whether you uninstall the old copy then manually run the installer to get the new copy. There will be no difference in the end result.
edit to this post: If you do not want to keep your old settings, you can either run the uninstaller first (ie, choice 3), and answer the question to not keep the old settings; or you can just delete
%AppData%\Notepad++before running the installer under (2) or (3). The recommendation, for just this one update is not not use ? > Update Notepad++ if you are running a version less than v8.8.8.Basically, is it possible for hackers to use the old version that I have in the future to do something?
No.
First, because whichever of the three methods I just described you use, by default, they will put the executables in the same place, so none of those three methods will keep the old copy anywhere on your PC (unless you have multiple copies, of course; it will only update/reinstall the copy in the default location).
Second, because the recent security issue was not the fact that the notepad++.exe or gup.exe were compromised in any way, shape, or form. There was a website breach, which allowed the hackers to respond to about a dozen IP addresses from various regions in Asia over a ~6 month period, with false information of where to download the new installer. That website vulnerability has been fixed. During the breach, when the gup.exe updater was run (using ? > Update Notepad++), it would ask the server, and if you were one of about a dozen IP addresses, instead of giving the answer as to where the normal update installer was, they would redirect you to a malicious download. (If you were not one of those dozen IP addresses, nothing bad happened, and you were unaffected by the breach.)
The recommendation to update to the newest version is so that, going forward, the auto-updater (gup.exe) can be more secure, and it will do more checks and comparisons to make sure that the installer it downloads. So, going forward, even if the updated website does get hacked, the updater will see bad information coming from the website, and refuse to install it.
I(at least according to what I have seen in the settings) have disabled the auto updater since install and do not intend to use it.
If you are on a version from v8.8.7 or earlier, then for this one upgrade, the recommendation is to not use ? > Update Notepad++. Instead, download the v8.9.1 installer from the official source (as described in our FAQ here, or in the various announcements, or by just going to the official https://notepad-plus-plus.org/downloads webpage [1]), and run that installer – no need to uninstall the old version first. It is safe to keep your old settings. It is safe to allow the installer to include the auto-updater, and to let v8.9.1 and later run the auto-updater. [2]
[1]: BTW: the downloads page on the website was not hacked. it was just the program that replied to requests from gup.exe that was hacked. And to re-iterate: only a handful of computers were ever sent bad update information; the rest were all directed to the real installer, which was completely safe to have run. And to repeat: the website has been fixed, and will not send the bad information, even to those handful of machines. The update process is safe right now, and updating to v8.8.8 or newer (v8.9.1 is currently recommended) will make it more secure from possible future attack.
[2] In fact, it is recommended that you do that, because the gup.exe is what has been improved in v8.8.8-v8.9.1 to make the update process even more secure. Once you’ve manually installed v8.9.2, the auto-updater will be more secure than it ever has been, and will be following all the industry best-practices for secure automatic update. Letting auto-updater run is the easiest way to ensure that you will continue to have the most secure version of Notepad++, as new security improvements are made (because best practices and Notepad++'s implementations of security practices are always being improved).
-
@PeterJones
Thanks for the clear explanation, That really cleared up my confusion. I appreciate you taking the time to break it down and explain what actually happened and why updating is safe now.
