Notepad++ release 8.9.6.1
-
Note:
For fixing arbitrary code execution vulnerability viaconfig.xml, “commandLineInterpreter” was removed, but “PowerShell here” command has been added, so I don’t think it’ll be an issue, though users who use “commandLineInterpreter” should be notified.
However, we might have some complains for fixing arbitrary code execution vulnerability viashortcuts.xml, due to the security warning, if the binary is not located under one of the fowing loctions:- C:\Program Files,
- C:\Program Files (x86)
- C:\Windows\System32
- C:\Windows
Unfortunately, I haven’t yet found a way to store the definate “Never show the confirmation dialog” safely. Please let me know if anyone here has some ideas.
-
:-(
How about an empty supressRunAlertDialog.xml besides of notepad++exe to suppress the warning dialog?
-
When installing the latest version (8.9.6.1) I get the following error which I’ve never seen before:
Does anybody have a clue about this?
-
@fml2
Which installer did you use? -
@donho The one I downloaded from the official web site https://notepad-plus-plus.org/downloads/v8.9.6.1/ (64 bit).
-
How about an empty supressRunAlertDialog.xml besides of notepad++exe to suppress the warning dialog?
I think that should work:
- in a normal install, that would be in the safe/UAC-protected Program Files hierarchy, so couldn’t be created by a malicious actor without UAC
- it would allow someone with admin privileges to make the executive decision to disable that safety feature
It could, in theory, be made more fine-grained – the XML could contain actual information, such as a list of “additional safe directories” (like Excel allows you to specify so that you can run VBA macros even if your file is in an alternate location), so your for-loop across the safe directories could include those from that file.
The empty file would obviously be easier to implement, but I would be fine with either solution. (And given how many CVE’s have been fixed in v8.9.4-v8.9.6.1, I don’t think my complaint about this one should prevent triggering auto-update, since I make do with existing until v8.9.7)
-
@fml2 ,
The one I downloaded from the official web site https://notepad-plus-plus.org/downloads/v8.9.6.1/ (64 bit).
I know.
What I need to know as information is, x64 or x86? NSIS exe Installer or MSI? -
It could, in theory, be made more fine-grained – the XML could contain actual information, such as a list of “additional safe directories” that Excel allows you to specify so that you can run VBA macros even if your file is in an alternate location, so your for-loop across the safe directories could include those from that file.
The empty file would obviously be easier to implement, but I would be fine with either solution. (And given how many CVE’s have been fixed in v8.9.4-v8.9.6.1, I don’t think my complaint about this one should prevent triggering auto-update, since I make do with existing until v8.9.7)
The empty XML file is not only easier to implement, but it is also the only viable solution IMO. I considered storing a list of user-validated commands, or even a simple boolean like “Never Alert Dialog” inside config.xml - but obviously config.xml is not in a protected directory, as described in CVE-2026-48778.
OTOH, supressRunAlertDialog.xml solves the issue - it can be placed by users with admin rights to restore the old behaviour back (no confirmation dialog), and we can also include it in the installer (WITHOUT by default) so the previous behaviour can be restored during the installation - with the user’s awareness.
Sorry for breaking the old workflow - but I cannot simply ignore this vulnerability. The reporter will publish it in 3 months anyway, with or without a fix, and it is a valid issue.
-
the only viable solution IMO
It’s not the only viable solution. The exception list could go in suppressRunAlertDialog.xml in the Program Files directory – so the user with Admin/UAC could edit the list, but a normal user could not – and this is what I was trying to imply with my phrasing above, but apparently didn’t get that point across. There is zero difference in security between an empty suppressRunAlertDialog.xml in Program Files and a suppressRunAlertDialog.xml in Program files containing actual XML data with the list of files.
But as I said, I’d be fine with the simpler version.
-
@donho x64, installer (exe)
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login