Notepad++ Update Fixes 'CIA Hacking' Issue

Free software Notepad++ (released under the GNU General Public License) received a new update this week which was announced under the headline "Fix CIA Hacking Notepad++ Issue". The CIA documents in WikiLeaks' 'Vault 7' included a "Notepad++ DLL Hijack" document which affected the popular Windows editor for text and source code. "It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it," reads the announcement. From the Notepad++ web site: If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch. Checking the certificate of DLL makes it harder to hack.

Note that once users' PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.
The update also includes "a lot of enhancements and bug-fixes," and if no critical issues are found, "Auto-updater will be triggered in few days."

Vault 7

[war4peace]

It helps knowing all those things. Now, whoever isn't lazy/incompetent/in bed with the CIA will implement required changes to eliminate vulnerabilities.

Re:Vault 7

Somebody on CNN told me so

No they didn't.

Re:Vault 7

[PolygamousRanchKid+]

Now, whoever isn't lazy/incompetent/in bed with the CIA will implement required changes to eliminate vulnerabilities.

Why don't we eliminate the CIA instead? They are the problem.

It's "legal-ish" for the CIA to install malware on the devices of US citizens. It is also legal in the US for the CIA to install malware on the devices of foreigners anywhere in the world.

However, in most countries of the world, a foreign agency installing malware on devices of its citizens is a crime of espionage, or an act of war. Unfortunately, the CIA doesn't care about harming US citizens, and most definitely doesn't give a rat's ass about harming folks of other countries. Any legal action against the CIA will get you nowhere, really fast.

So how can you fight back? Well, kick the CIA where it hurts . . . right in their balls. The CIA has two types of agents in foreign countries, so-called "legals" and "illegals". "Legals" work in a consulate or embassy and have diplomatic immunity. "Illegals" are undercover and have no diplomatic immunity. You have no chance as a common citizen of identifying an "illegal".

"Legals", on the other hand, are quite easy to spot. They will usually have some innocuous sounding title, like, "Under Secretary for Cultural and Economic Exchange". So they can just hang out at cocktail parties and listen to political gossip. "The Economist" recommends: "Just look for someone who is obviously too clever for their job." CIA agents also run the visa department of US embassies and consulates. The want to check out folks even before they travel to the US.

So just visit your local US embassy or consulate, ask for a visa to the US. The guy who interviews you will be a CIA agent. Do NOT bring any devices with you! Wait outside after closing time for the agent to walk outside.

Then just kick him in the 'nads. If enough people in the world would do this, maybe even the US might think about taking notice of this.

Re:Vault 7

[GuB-42]

What Notepad++ did is just a patch to prevent a specific exploit from being used, the underlying "vulnerability" is still there. This may be effective against inexperienced script kiddies but It won't stop the CIA or any self respecting cracker.
DLL hijacking is actually a feature rather than a bug on general purpose OSes like Windows and Linux. It is very useful for development. Eliminating these kinds of vulnerabilities at a fundamental level means locking down the system, which can be done (ex : Microsoft AppLocker) but it is typically not what power users (the kind that use Notepad++) want.

Re:Vault 7

[WD]

Except there isn't a DLL hijacking vulnerability at all. The CIA "issue" is that on an already-compromised computer, an administrator-privileged attacker can replace a Notepad++ DLL with one that does something else.

Notepad++ itself cannot do anything to protect itself from being hijacked in such a way.

Re:Vault 7

[sexconker]

notepad++ could not rely on external DLLs. Monolithic executables should make a comeback. Storage and memory are cheap, and we'll never see an end to the attacks that rely on manipulating shared memory. Using shared memory for anything important is like using a public bulletin board to file your taxes.

Re:Vault 7

[ptaff]

Monolithic executables should make a comeback. Storage and memory are cheap

Saving memory and storage is only one of the reasons shared libraries constitute a better idea. Say they find a vulnerability in one shared library; after an update of said library, all programs using it are automagically updated. You don't have to update each and every program (and wait for each and every program's maintainer to fix the vulnerability and release a new version).

Features == vulnerabilities

[Waffle+Iron]

This is why I still do all of my development work in edlin.

Re:Features == vulnerabilities

[Gravis+Zero]

This is why I still do all of my development work in edlin.

Ha! You millennials and your newfangled volatile memory! I'll stick to punched tape, thanks. ;)

Re:Features == vulnerabilities

[Jeremi]

I agree that simplicity is best. I prefer vim but props to the Notepad++ team for fixing this.

Vim is the most secure editor, because so far nobody at the CIA has been able to figure out how it works.

Re:Some people have to jump on new technology!

[sconeu]

You had stone engraving?

We had to make mud tablets, and wait for metamorphic pressure to turn them into rock.