About plugin and malware

rdipardo

https://github.com/notepad-plus-plus/nppPluginList/issues/53

None of the ideas pitched on GitHub have materialized, however. Plugin *.zip archives have to pass a checksum validation to get onto the distributed Plugin List, but that’s it.

The real danger is that (apart from nppPluginList.dll itself) N++ will blindly load any DLL without validation: https://github.com/notepad-plus-plus/notepad-plus-plus/issues/13964

dinkumoil

@rdipardo said in About plugin and malware:

The real danger is that (apart from nppPluginList.dll itself) …

As I suggested >>> here <<<, file nppPluginList.dll is already loaded in a way that prevents any execution of code that could be included in it. It is loaded as a data file, see >>> this commit<<<.

wonkawilly

@rdipardo

@rdipardo said in About plugin and malware:

https://github.com/notepad-plus-plus/nppPluginList/issues/53

Plugin *.zip archives have to pass a checksum validation to get onto the distributed Plugin List, but that’s it.

I seriously doubt that a checksum validation is useful to check if an executable file contains malware: usually it is more useful to check if a package sent throughout a network or saved into a memory have been altered during the transfer or it equals the original sent. So a checksum is more a error check than a malware check IMHO.
OK can be used for security too if the original programmer team uses a checksum to allow users to validate their copy comparing the loca checksum result with the string the programmers have calculated for the original uploaded file. But still this does not indicate the absence of malware into a software. It just says if the file you have downloaded is the same on which the checksum was calculated before uploading it to a server to see if in the meantime the file has changed a bit…

Alan Kilborn

@wonkawilly

I don’t think @rdipardo was singing the praises of the checksum; key phrasing was where he said “…but that’s it” – meaning it is minimalistic, and not up to the task of real protection.

rdipardo

@wonkawilly,

@Alan-Kilborn ha ragione. Siamo in effetti d’accordo per quanto alla pessima sicurezza nell’ambito dei plugin. Però ciò che va bene per la sicurezza crea di solito impedimenti per l’esperienza dell’utente, e la «filosofia» del N++ mira sin dall’inizio alla soddisfazione dell’utente.

@Alan-Kilborn is right. We’re on the same page as far as the lousy state of plugin security is concerned. But what’s good for security is usually bad for user experience, and N++'s “philsophy” has always made a top priority of user satisfaction.

wonkawilly

@rdipardo
Well aiming to the user satisfaction is always good but I am not sure how satisfied can be any eventual user that gets on its system a spreading malware originated from an unchecked N++ plugin…
I repeat, I am not here for doing any scaremongering: for the moment I never had any problem, but we can never be completely sure…
Maybe a possible solution could be that the people that prepare the notepad++ plugin repository scan with Virus Total the plugins before they make their way to the official repository and publish a link into the description downloaded by Plugin Admin and into the table that lists all plugins in the repo, that allows to go to the scan result page for that plugin.
This could mitigate the risks and shield the final users from eventual threats.
This scan can be done periodically to the whole Plugin repository and one by one for each plugin making its way to the repository itself, the first time a new plugin is uploaded and in case of new version updates.
IMHO N++ is very respected around the world but a plugin with a malware in it that makes its way from the official plugin repository handled by Plugin Admin to the final user machine, can compromise all the efforts made to keep the positive image that N++ has gained over time and it might seriously mine the efforts to keep its positive image for all the user like me that love to use it on daily basis.

PeterJones

Does VirusTotal have a set of API URLs? Quick search: yes, it does.

Thus, someone might be able to create a GitHub action that would trigger on Pull Request: anytime someone asks to add or update a plugin in the Plugin List, the VirusTotal API could be polled with submitted DLL, and only “pass” if VirusTotal passes.

Mark Olson

@PeterJones
Looks to me like the VirusTotal API was already considered a while back in this issue in the NppPluginList repo. ArkadiuszMichalski made some reasonable points about technical difficulty/feasibility of implementing this in a way that limits the annoyance of dealing with false alarms.

Of course, the post is more than two years old now, so maybe the API is better and more reliable now.

bitRAKE

Interesting breakdown of an attack on mimeTools.dll.
h**ps://asec.ahnlab.com/ko/63738/

Obviously, it’s not the official Notepad++ package.

Mark Olson

@bitRAKE
Good catch! I already an issue in the mimeTools repo referencing that article.

Of course, if it is, as you say, not an issue with the official plugin but rather an issue with Notepad++ loading a malicious DLL of the same name, I guess there’s nothing Don Ho can do about the issue.