[German]Several vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) are believed to exist in the popular Notepad ++ editor and have been reported to the developer by a security researcher. The vulnerability ratings range from medium to high. Although this report was made several months ago, there is no security update for Notepad ++ yet, although several product updates have been made in the meantime. When an update will be available is currently open.
Advertising
The discovery of the vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) in the Notepad ++ editor for Windows was made by security researcher Jaroslav Lobacevski. He has published the details on his GitHub security page. The buffer overflow vulnerability CVE-2023-40031 is rated as high in terms of risk. This is because an attacker could prepare a file that pushes malicious code to the Windows system in question when opened in Notepad++.
However, it is unclear exactly how this happens with the code execution. The problem is probably the Unicode representation or the conversion from UTF16 to UTF8, where a buffer overflow can occur. From the information provided by a security researcher, I understand that the whole thing can be triggered by a Python script being loaded. This scenario can lead to the execution of arbitrary code, as the discoverer of the vulnerability writes. The vulnerability could be eliminated by checking the required buffer size in the program code.
Personally, I think the risk is currently limited, since the user must be persuaded to open the foreign file – and normal Windows users are unlikely to use Notepad ++. If I interpret it correctly, the user would also have to trigger a conversion of the text file from UTF16 to UTF8 via the Encoding menu to provoke the buffer overflow. Currently, it looks to me like the vulnerabilities are there. Users of Notepad ++ should be aware of the fact that transmitted foreign files pose such a risk when opened. The remaining CVEs are rated as moderate in risk, as heise writes in this German article.
Security researcher Jaroslav Lobacevski reported the vulnerabilities to the Notepad++ Editor developer on April 28, 2023. However, nothing has happened since that time, although a proposal for the fix is made. Updates to the Notepad++ editor were released in May and June 2023 without fixing the vulnerability. In the entry on GitHub Security, you can read about the tough communication between security researcher Jaroslav Lobacevski with the developer of the software.
Advertising
Although the developer released product updates, the vulnerabilities were not closed. In addition, the developer stated that Notepad v8.5.4 could not be compiled with AddressSanitizer (ASAN) as a security option. In July 2023, it was confirmed that v8.5.4 could be compiled with ASAN. However, the developer has released further Notepad++ updates without fixing the reported vulnerabilities.
After the problems were pointed out to the developer several times, he was sent a proof of concept in binary format (instead of as a Python script). There has been no reaction so far, although further updates of notepad ++ have been made. The security researcher then published his findings on August 21, 2023. When an update to fix the vulnerabilities will come is still unclear. However, there is this 2-day-old comment from the developer that he has accepted the request to fix the vulnerability – the publication of the vulnerabilities seems to have worked.
Advertising
