Slashdot Mirror

← Back to Stories (view on slashdot.org)

Notepad++ Update Fixes 'CIA Hacking' Issue (archive.org)

Posted by EditorDavid on from the attacks-on-text-editors dept.

Free software Notepad++ (released under the GNU General Public License) received a new update this week which was announced under the headline "Fix CIA Hacking Notepad++ Issue". The CIA documents in WikiLeaks' 'Vault 7' included a "Notepad++ DLL Hijack" document which affected the popular Windows editor for text and source code. "It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it," reads the announcement. From the Notepad++ web site: If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch. Checking the certificate of DLL makes it harder to hack.

Note that once users' PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.
The update also includes "a lot of enhancements and bug-fixes," and if no critical issues are found, "Auto-updater will be triggered in few days."

2 of 82 comments (clear)

  1. Re:Vault 7 by GuB-42 · · Score: 4, Informative

    What Notepad++ did is just a patch to prevent a specific exploit from being used, the underlying "vulnerability" is still there. This may be effective against inexperienced script kiddies but It won't stop the CIA or any self respecting cracker.
    DLL hijacking is actually a feature rather than a bug on general purpose OSes like Windows and Linux. It is very useful for development. Eliminating these kinds of vulnerabilities at a fundamental level means locking down the system, which can be done (ex : Microsoft AppLocker) but it is typically not what power users (the kind that use Notepad++) want.

  2. Obligatory: Intel CPU Backdoor Alert by Anonymous Coward · · Score: 0, Informative

    Intel CPU Backdoor Alert (Updated Mar 12, 2017)

    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge.
    What we know about the Intel backdoor so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak:

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware is in the chipset flash chip (Intel Management Engine).

    ccc.de: "Our presentation covers a DMA malware that benefits from an isolated network channel to update the attack code and to exfiltrate captured data. To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

    30C3 Intel ME live hack, @21m43s, keystrokes leaked from Intel ME outside the OS, wireshark cannot detect packets:
    [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware

    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal is tricky and requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort. If you are skilled in BIOS/Firmware, download some of the Intel ME firmware from this collection have a go at it (Intel used various decode counter measures, explained below).

    Useful links:
    The Intel ME subsystem can take over your machine, can't be audited
    REcon 2014 - Intel Management Engine Secrets
    Untrusting the CPU (33c3)
    Towards (reasonably) trustworthy x86 laptops

    1. Introduction, what is Intel ME

    Short version, from Intel staff:

    Re: What Intel CPUs lack Intel ME secondary processor?
    Amy_Intel Feb 8, 2016 9:27 AM

    The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

    Long version:

    ME: Management Engine

    The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

    The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).

    The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the networ