Notepad++ has adopted a “double-lock” design for its update mechanism to address recently exploited security gaps that resulted in a supply-chain compromise.
The new mechanism landed in Notepad++ version 8.9.2, announced yesterday, although work on it began in version 8.8.9 with implementing the verification of the signed installer from GitHub.
The second part of the double-lock system is checking the signed XML from the notepad-plus-plus.org domain. In practice, this means that the XML file returned from the update service is digitally signed (XMLDSig).
The combination of the two verification mechanisms adds to a more robust "and effectively unexploitable" update process, says the team behind the massively popular open-source text and source code editor.
Additional security-oriented changes applied to the auto-updater include:
Removal of libcurl.dll to eliminate DLL side-loading risk
Removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
Restriction of plugin management execution to programs signed with the same certificate as WinGUp
The new announcement also notes that users can exclude the auto-updater during UI installation or deploy the MSI package with: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1
Vulnerable update model (left) and new, secure model (right)
... continue reading