A few days ago, I recommended the use of Notepad++ to a close person, and it is neither the first nor the second time that I recommend this veteran application. Next November it will be 20 years since its initial release and, although I didn’t start using it then, I do remember coming across it for the first time and adding it to my must-haves sometime between 2004 and early 2005. Since then, it has been on the list of software that I install on every new PC that has passed through my hands.
However, and for the first time since I met him, I must be quite critical of its developers, and for several months they have known about several vulnerabilities in their software and, despite this, they have not corrected them. This in itself is already dangerous, but it takes on an even more worrying dimension when knowing that, for several weeks, the nature of these vulnerabilities was already publicly known, and that they could therefore be exploited by anyone with the necessary knowledge.
But let’s go to the beginning. In March of this year Notepad++ 8.5 version was released and A month later, GitHub’s Security Lab identified a vulnerability in it. The security service, as is common in this type of case, proceeded to inform the developers of the application, establishing a deadline for its correction before making its nature public. This is the common procedure in responsible disclosure policies, in which the nature of the problem is not revealed to avoid its exploitation by cybercriminals, but a deadline is established for correction, to prevent developers from neglecting the need to fix vulnerabilities.
However, as we can read on the website of this research, Four months after the initial communication, those responsible for Notepad++ still had not fixed the vulnerabilities. And we cannot say that this is due to lack of activity, since several updates were published in this time range (from 8.5.3 to 8.5.6). And it was not until several weeks after the full disclosure of the vulnerabilities that update 8.5.7 was published, which is the one that finally corrects all these problems.
To be more specific, full disclosure occurred on August 21a week after the publication of Notepad++ 8.5.6, which maintained the vulnerability, so users of the software have been very exposed to this security threat until just two days ago, when update 8.5.7 was finally published, which puts an end to these problems. But the problem is even worse because, as you can see in the image below, at the time of publishing this news, if you have version 8.5.6 installed (affected, I remember) the software update system indicates that there is no update available at the moment:
So what remains is use the link that leads to the download page, where fortunately we will find the update that, surprisingly, is not shown in the program’s update function:
It goes without saying, therefore, that if you are a Notepad++ user You should immediately update to this version, otherwise you will be facing an unnecessary risk. And, yes, from here a good slap on the wrist to Don Ho, for having allowed the users of the software that he created and maintained for so long to be exposed to this threat. These types of problems can put a dent in the reputation and good image that this application has had for many years, and this would really be a shame, since, without a doubt, the prestige it has has been earned through great work. for many years.