Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables.
The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.
Mitigation: Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted.
Status: The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established.
Note that starting with v8.8.7, Notepad++ binaries - including the installer - are digitally signed using a legitimate certificate issued by GlobalSign. As a result, Installation of the Notepad++ root certificate is no longer required. We recommend that users who have previously installed the root certificate remove it.