Anyone using Notepad++ under Windows leaves their system vulnerable to attack. Security researchers reported four vulnerabilities to the developer in late April 2023, but not much has happened since then. In the worst case, malicious code can enter your computer after a successful attack.
Announcement
Security researchers at the GitHub Security Lab have discovered the vulnerabilities. In an article they describe information about the gaps and how the contact with the responsible person wentA. Since the vulnerabilities were reported about four months ago, a few new versions of the text editor have been released, but according to the researchers, the security problems still exist, including the current version v8.5.6.
The gaps
Errors may occur when converting from UTF16 to UTF8 causing a buffer overflow (CVE-2023-40031 “high“). Attackers can use it to insert malicious code into systems and execute it. Researchers do not currently explain what a specific attack could look like. In any case, the victim must open a prepared file.
The three remaining vulnerabilities (CVE-2023-40036. CVE-2023-40164. CVE-2023-40166) are threat level”medium” classified. What happens after a successful attack is currently unclear. Researchers assume that information about the vulnerability could be leaked.
When will the security patch arrive?
Researchers say communication with the developer is slow. According to their own statements, in the first messages they have already provided information about the elimination of vulnerabilities. The response to a request from heise Security to the developer is still pending.
Announcement
(From)
