• Notepad++ introduces a double‑lock update system, verifying signed installers from GitHub and XML from its domain. • The new design eliminates DLL side‑loading by removing libcurl.dll and disabling insecure cURL SSL options. • Plugin management now runs only on executables signed with the same certificate as WinGUp. • Users can opt out of auto‑updates during installation or via MSI flag NOUPDATER=1. • A six‑month supply‑chain attack by Lotus Blossom redirected updates to malicious servers using a Chrysalis backdoor. • The double‑lock mechanism aims to make Notepad++ updates effectively unexploitable, restoring trust after the breach.
Article Summaries:
- Notepad++ has adopted a “double-lock” design for its update mechanism to address recently exploited security gaps that resulted in a supply-chain compromise. The new mechanism landed in Notepad++ version 8.9.2, announced yesterday, although work on it began in version 8.8.9 with implementing the verification of the signed installer from GitHub. The second part of the double-lock system is checking the signed XML from the notepad-plus-plus.org domain. In practice, this means that the XML file returned from the update service is digitally signed (XMLDSig). The combination of the two verification
Sources: