Notepad++ developer apparently ignores security vulnerabilities

Anyone who uses Notepad++ under Windows makes their system vulnerable to attack. Security researchers reported four security holes to the developer at the end of April 2023 – but not much has happened since then. In the worst case, malicious code can get onto computers after successful attacks.

Advertisement

Security researchers from the GitHub Security Lab discovered the vulnerabilities. In an article they describe information about the gaps and how contact with the person responsible went. Since the vulnerabilities were reported around four months ago, several new versions of the text editor have been released, but according to the researchers, the security problems still exist – including the current version v8.5.6.

The gaps

When converting from UTF16 to UTF8, errors can occur that trigger a buffer overflow (CVE-2023-40031 “high”). This allows attackers to insert and execute malicious code onto systems. The researchers are currently not detailing what a specific attack might look like. In each case, a victim must open a crafted file.

The three remaining vulnerabilities (CVE-2023-40036. CVE-2023-40164. CVE-2023-40166) are classified as a medium threat level. What happens after a successful attack is currently unclear. The researchers assume that information can be leaked about the vulnerability.

When is the security patch coming?

The researchers say that communication with the developer is slow. According to their own statements, they already provided information about how to close the vulnerabilities in their first messages. A response to a request from heise Security to the developer is still pending.

Advertisement

(of the)

To the homepage
#Notepad #developer #apparently #ignores #security #vulnerabilities