this post was submitted on 10 Dec 2025
324 points (96.0% liked)

Technology

77090 readers
2591 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
324
Notepad++ updater installed malware (www.heise.de)
submitted 2 days ago* (last edited 2 days ago) by schizoidman@lemmy.zip to c/technology@lemmy.world
45 comments fedilink hide all child comments
 

https://archive.is/uCWNB

you are viewing a single comment's thread
view the rest of the comments
[–] ren@reddthat.com 16 points 1 day ago

Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary – if such a warning pops up, users should be alarmed.

I don't understand how this is relevant. Unless the attacker has either

(a) somehow acquired the private key of the cert

(b) replaced the cert delivered through the installer

A self signed cert isn't any worse. Both of these attack vectors still work with a public root CA. Or maybe notepad++ just forgot to validate the self signed cert against the one they delivered through their sources, just accepting any non-expired cert? That's just a bug.