The popular text editor Notepad++ has addressed a severe security weakness in its update mechanism that could allow attackers to hijack network traffic and push malicious executables to users under the guise of legitimate updates.
Security researchers recently observed suspicious traffic patterns involving WinGUp, the built-in updater used by Notepad++.
According to their findings, update requests were, in some cases, being redirected to malicious servers. Instead of retrieving genuine Notepad++ installers, the updater downloaded compromised binaries, creating a silent malware delivery channel.
An internal review of the reports led to the discovery of a flaw in the way WinGUp validated the integrity and authenticity of downloaded update files.
Under certain conditions, if an attacker could intercept or manipulate network traffic between the Notepad++ updater client and the official update infrastructure, this weakness could be exploited to substitute the legitimate installer with a rogue binary.
In such a scenario, the updater could be tricked into downloading and executing malware, all while appearing to perform a routine software update. This type of attack aligns with classic man-in-the-middle or traffic-hijacking techniques often seen in supply-chain and update-channel compromises.
Security Enhancements in Latest Release
To mitigate the issue and address the concerns raised by researchers, the latest Notepad++ release introduces stricter verification during the update process.
Both Notepad++ and WinGUp have now been hardened to verify the digital signature and certificate of downloaded installers before proceeding.
If the signature or certificate check fails, the update process is immediately aborted, preventing execution of untrusted code. Notepad++ developers have stated that the investigation into the exact hijacking method remains ongoing, and users will be informed once concrete evidence about the attack vector is established.
Separately, starting with version 8.8.7, all Notepad++ binaries, including the installer, are digitally signed using a legitimate certificate issued by GlobalSign.
This change removes the need for users to install a custom Notepad++ root certificate. The project now recommends that any previously installed Notepad++ root certificates be removed to reduce unnecessary trust anchors.
The new version 8.8.9 packages these security improvements alongside several bug fixes and additional enhancements. Users are strongly advised to upgrade to the latest release and obtain installers only from the official Notepad++ website, where the full changelog and download links for version 8.8.9 are available.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
