Slashdot Mirror

← Back to Stories (view on slashdot.org)

Notepad++ Update Fixes 'CIA Hacking' Issue (archive.org)

Posted by EditorDavid on from the attacks-on-text-editors dept.

Free software Notepad++ (released under the GNU General Public License) received a new update this week which was announced under the headline "Fix CIA Hacking Notepad++ Issue". The CIA documents in WikiLeaks' 'Vault 7' included a "Notepad++ DLL Hijack" document which affected the popular Windows editor for text and source code. "It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it," reads the announcement. From the Notepad++ web site: If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch. Checking the certificate of DLL makes it harder to hack.

Note that once users' PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.
The update also includes "a lot of enhancements and bug-fixes," and if no critical issues are found, "Auto-updater will be triggered in few days."

35 of 82 comments (clear)

  1. Vault 7 by war4peace · · Score: 4, Insightful

    It helps knowing all those things. Now, whoever isn't lazy/incompetent/in bed with the CIA will implement required changes to eliminate vulnerabilities.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    1. Re:Vault 7 by Anonymous Coward · · Score: 1

      Now, whoever isn't lazy/incompetent/in bed with the CIA will implement required changes to eliminate vulnerabilities.

      I suggest you read that second paragraph again.

      Maybe than you will realize that when some three-letter agency is able to exchange the DLL or the executable for something they wrote they can do that as easily for a gazillion other DLLs and executables on your computer, and that your "lazy/incompetent/in bed with" is nothing more than either ignorance, or sticking your head into the sand.

      Or trolling, lets not forget that one.

    2. Re:Vault 7 by Anonymous Coward · · Score: 2, Funny

      Somebody on CNN told me so

      No they didn't.

    3. Re:Vault 7 by Anonymous Coward · · Score: 1

      Another retarded Trump supporter trying to pretend CNN lied about something, sad!

    4. Re:Vault 7 by PolygamousRanchKid+ · · Score: 5, Funny

      Now, whoever isn't lazy/incompetent/in bed with the CIA will implement required changes to eliminate vulnerabilities.

      Why don't we eliminate the CIA instead? They are the problem.

      It's "legal-ish" for the CIA to install malware on the devices of US citizens. It is also legal in the US for the CIA to install malware on the devices of foreigners anywhere in the world.

      However, in most countries of the world, a foreign agency installing malware on devices of its citizens is a crime of espionage, or an act of war. Unfortunately, the CIA doesn't care about harming US citizens, and most definitely doesn't give a rat's ass about harming folks of other countries. Any legal action against the CIA will get you nowhere, really fast.

      So how can you fight back? Well, kick the CIA where it hurts . . . right in their balls. The CIA has two types of agents in foreign countries, so-called "legals" and "illegals". "Legals" work in a consulate or embassy and have diplomatic immunity. "Illegals" are undercover and have no diplomatic immunity. You have no chance as a common citizen of identifying an "illegal".

      "Legals", on the other hand, are quite easy to spot. They will usually have some innocuous sounding title, like, "Under Secretary for Cultural and Economic Exchange". So they can just hang out at cocktail parties and listen to political gossip. "The Economist" recommends: "Just look for someone who is obviously too clever for their job." CIA agents also run the visa department of US embassies and consulates. The want to check out folks even before they travel to the US.

      So just visit your local US embassy or consulate, ask for a visa to the US. The guy who interviews you will be a CIA agent. Do NOT bring any devices with you! Wait outside after closing time for the agent to walk outside.

      Then just kick him in the 'nads. If enough people in the world would do this, maybe even the US might think about taking notice of this.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    5. Re:Vault 7 by GuB-42 · · Score: 4, Informative

      What Notepad++ did is just a patch to prevent a specific exploit from being used, the underlying "vulnerability" is still there. This may be effective against inexperienced script kiddies but It won't stop the CIA or any self respecting cracker.
      DLL hijacking is actually a feature rather than a bug on general purpose OSes like Windows and Linux. It is very useful for development. Eliminating these kinds of vulnerabilities at a fundamental level means locking down the system, which can be done (ex : Microsoft AppLocker) but it is typically not what power users (the kind that use Notepad++) want.

    6. Re:Vault 7 by WD · · Score: 2

      Except there isn't a DLL hijacking vulnerability at all. The CIA "issue" is that on an already-compromised computer, an administrator-privileged attacker can replace a Notepad++ DLL with one that does something else.

      Notepad++ itself cannot do anything to protect itself from being hijacked in such a way.

    7. Re: Vault 7 by dilvish_the_damned · · Score: 1

      They are all differently corrupt.

      --
      I think you underestimate just how much I just dont care.
    8. Re: Vault 7 by Anonymous Coward · · Score: 1

      Everything. Sad!

    9. Re:Vault 7 by Anonymous Coward · · Score: 1

      Why don't we eliminate the CIA instead? They are the problem.

      The CIA was created in large part to remedy the problem that the United States had suffered in the opening phases of the last two world wars, namely that we were caught with our pants down by enemy attacks due to lack of professional and coordinated intelligence gathering. During the first world war, the United States was caught woefully unprepared by the initiation of unrestricted submarine warfare by Germany and the Zimmerman telegram, which attempted to entice Mexico into invading the United States. At the beginning of the second world war we were caught almost completely by surprise at Pearl Harbor in Hawaii when naval and air forces of the Empire of Japan wrecked our Pacific Fleet. In both cases, some measure of good fortune prevented these incidents from becoming unmitigated disasters, but after being snookered twice by our enemies at the outbreak of war it was decided that in the future we would maintain a professional intelligence gathering and analysis capability so that we would be better prepared both to respond to threats and to preempt them before they led to war. Furthermore, since existing military intelligence was focused on tactical matters and military affairs, and given the long aversion in the United States towards military control of key government functions, it was decided that this Central Intelligence Agency (CIA) was to be staffed and run by civilians and not under military control. Thus the CIA, generally an honorable and necessary institution serving the legitimate democratic interests of the American people, was born. Now, have there been mistakes and missteps over the years? Certainly, we're all only human after all, but an honest analysis of the publicly available information overwhelmingly supports the conclusion that the benefits have outweighed the drawbacks when considered as a whole since the founding of the agency.

    10. Re:Vault 7 by Anonymous Coward · · Score: 1

      That is just the mainstream bullshit story. Learn some real history. The same people who funded the Nazi founded the CIA.

    11. Re:Vault 7 by sexconker · · Score: 1

      At the beginning of the second world war we were caught almost completely by surprise at Pearl Harbor in Hawaii when naval and air forces of the Empire of Japan wrecked our Pacific Fleet.

      Fucking wrong. We were warned by the British well in advance. We let the attack happen so we could finally get public support for the war.

    12. Re:Vault 7 by sexconker · · Score: 2

      notepad++ could not rely on external DLLs. Monolithic executables should make a comeback. Storage and memory are cheap, and we'll never see an end to the attacks that rely on manipulating shared memory. Using shared memory for anything important is like using a public bulletin board to file your taxes.

    13. Re:Vault 7 by rew · · Score: 1

      Imagine you have a sixyearold who doesn't want to go to school, so he hides the car keys. This morning he hid the keys in the honey pops box. So you decide to put an alarm on the honey pops. Not the fruitloops next to them, not the sugar bowl, not the fridge! Thousands of other places to hide the item, but you put an alarm on the ONE spot he used this time (And you tell him about the alarm!).

      This is very similar to how this "FIX" affects the CIA from "hiding the keys" again.

      It is wrong to publish about this issue calling this a "FIX".

      A "fix" would pose a significant barrier to entry, or at least close this one issue that would allow entry.

    14. Re:Vault 7 by ptaff · · Score: 2

      Monolithic executables should make a comeback. Storage and memory are cheap

      Saving memory and storage is only one of the reasons shared libraries constitute a better idea. Say they find a vulnerability in one shared library; after an update of said library, all programs using it are automagically updated. You don't have to update each and every program (and wait for each and every program's maintainer to fix the vulnerability and release a new version).

    15. Re: Vault 7 by Archangel+Michael · · Score: 1

      Qualitative vs Quantitative subjective determination!

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    16. Re:Vault 7 by Archangel+Michael · · Score: 1

      The whole Russians Hacked the Elections story line, which was false from the beginning, and now we know the extent of that lie.

      Made for great fodder against Trump for the last 9 months though. Great coverup for the Democrats being incapable of securing anything.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    17. Re: Vault 7 by coteriescavenger · · Score: 1

      Or, this when CNN lied about the size of Hillary's crowds as if she was doing well, and then acting surprised when Trump won in a landslide, as if they didn't know it was probable. http://www.truthrevolt.org/new...

  2. Features == vulnerabilities by Waffle+Iron · · Score: 4, Funny

    This is why I still do all of my development work in edlin.

    1. Re:Features == vulnerabilities by OffTheLip · · Score: 1

      I agree that simplicity is best. I prefer vim but props to the Notepad++ team for fixing this.

    2. Re:Features == vulnerabilities by Gravis+Zero · · Score: 2

      This is why I still do all of my development work in edlin.

      Ha! You millennials and your newfangled volatile memory! I'll stick to punched tape, thanks. ;)

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Features == vulnerabilities by Jeremi · · Score: 2

      I agree that simplicity is best. I prefer vim but props to the Notepad++ team for fixing this.

      Vim is the most secure editor, because so far nobody at the CIA has been able to figure out how it works.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    4. Re:Features == vulnerabilities by pz · · Score: 1

      Ed is the standard. Edlin is, of course, based on ed.

      https://www.gnu.org/fun/jokes/...

      "Ed is for those who can remember what they are working on." - patl.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  3. I am secure by Billly+Gates · · Score: 1

    I just use cat. I guess Ed is secure too since no one else's it anymore

    --
    http://saveie6.com/
  4. In USA by jamander4 · · Score: 1

    In peace and freedom loving USA secret police hack you and your TV and phone and car and computer.

  5. Some people have to jump on new technology! by Futurepower(R) · · Score: 1

    "... punched tape..."

    Punched tape!!! Some people have to jump on new technology. I engrave characters in stone. Let the CIA try to modify that remotely.

    1. Re:Some people have to jump on new technology! by sconeu · · Score: 2

      You had stone engraving?

      We had to make mud tablets, and wait for metamorphic pressure to turn them into rock.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  6. This is idiotic. by WD · · Score: 1, Insightful

    From the Notepad++ page (and even the Slashdot summary): "Note that once usersâ(TM) PCs are compromised, the hackers can do anything on the PCs."

    Repeat after me: If my computer is compromised, there's nothing that any individual app on the system can do to protect itself from being hijacked.

    There's nothing to see here.

  7. Re:Could just use Geany instead by Opyros · · Score: 1

    I dare anyone to tell me what Window$ does better

    You can get decent OCR software for Windows; open-source substitutes are laughable when you look at their error rates.

  8. How is this a hack? by FeelGood314 · · Score: 1

    The CIA had to get me to install and register a malicious DLL. If they can get me to do that then they can do worse than this. It just seems like the DLL is a place for them to have hidden a malicious payload. They could have chosen a number of other places and likely will just switch now.

    1. Re:How is this a hack? by eyenot · · Score: 1

      Um, can we say "war of attrition"?

      Is that too much work (to say)?

      --
      "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
  9. Better link / better explanation of what happened by FeelGood314 · · Score: 1

    This isn't a hack of notepad++

  10. Better link by FeelGood314 · · Score: 1

    http://web.archive.org/web/201...

  11. Re:Obligatory: Intel CPU Backdoor Alert by Anonymous Coward · · Score: 1

    APK will save me with shadow stacks!

  12. Monolithic executables? by Larsen+E+Whipsnade · · Score: 1

    Got mixed feelings about this. There's a real security risk that this would help a lot with. But... user desires and code bloat always expand to take all available resources. So, there is a downside.

    What if the executable itself is compromised? Really, we need a coherent philosophy re digital signing. Do we cede control to the owners of the certificates, or to hackers? I say neither. If the signature is broken, always inform the user and always let the user make a command decision.

    If the owner of a host signs his own executables, that's fine - if he builds them himself from source. Make sure we allow this on all binaries. Don't mandate a particular signing authority. But then we must inform always inform the user at runtime just who signed what he's about to load. Because hackers can sign, too.

    Informed consent, and the user beware.