Notepad++ V 7.3.3 – Fix CIA Hacking Notepad++ Issue

The CIA probably isn't stupid. Why would they waste attacks like the ones you listed if the silly stuff simply works for most targets. Also those "silly stuff" things are perfect because anybody could have developed them and not necessarily a nation state actor.

Also just because some information got leaked, doesn't mean that there aren't more units / projects at the CIA where maybe the more skilled people are working and where the "good" attacks don't get leaked.

This looks to be the kind of stuff for the day in, day out operations.

This is just the exploits that contractors were given. There's probably another set of more carefully guarded and important 0 days. Given how easily these were passed around this was most likely a cache of common exploits used every day on regular operations. Huge deal if compromised, but not all the keys in the kingdom.

I suspect the CIA is doing these primitive basic attacks for one reason: they work a lot of the time. CIA likely doesn't use ONLY these attacks (and the more intricate ones are probably run by a different group), but I mean, c'mon, buffer overflows and SQL injection are STILL effective venues of attack. Why give up on something that works just because there are other, stronger, tools? This lets you reduce risk of your involved attacks being caught - use them less often. Meanwhile, you can get 80% (made up number) of your targets with "silly" stuff, and only bring out the big guns on the 20%.

All speculation, of course.

This is literally exactly what they want you to think. The CIA is smarter than you, and they have a lot to gain by misleading you otherwise.

Some of the most talented software engineers in the world work intelligence, and they can write better than you, exploit faster than you, debug more thoroughly than you, etc.

State intelligence is especially dangerous and devious. The average security researcher doesn't stand a chance, much less the average basement hacker.

Understanding what the CIA does and why they do it is designed to be more or less impossible from the outside. It's the nature of intelligence really, to be incomprehensible from outside the sphere.

The CIA may just not need that much for 80% of their targets. We aren't talking about top-level security experts. The CIA might use these tools on very low-tech focused threats. The mere fact that they focus on Samsung smart tvs tell us something about their targets. What person serious about security would have a TV that even had a chance of recording their conversations if it was hacked?

For the other 20% of targets who are serious about security (High-level government actors in countries that can invest a lot of money into serious computer security.) The CIA probably has a bunch of high-level tools that were not leaked.

Why would they use more sophisticated tools than required? There are no style points to be had.

Maybe the higher quality work just hasn't been leaked (yet)?

>I don't know why the CIA has this team of people bumbling around with DLL injectors and AV bypasses.

Got to have something to spend the budget on to ask for more next year?

Maybe they are just trawling and they have more skilled people pick out the wheat from the chaff or combine exploits. It would make sense if there are some bigger picture people directing the contractors. A library of low-level shit might be useful if you're building entire frameworks.

Strong currents push to classify work. Structures like jetties and piers oppose declassification.

Silt builds up at classification boundaries. You should expect to see a bunch of S crap that can't get to the TS tools, TS crap that can't get the compartments needed for the great tools---all in service of not devaluing the tech.

This was the U silt pile.

Doesn't that suggest that there are other attacks and exploits that the CIA potentially has that weren't leaked?

Those topics you list make for cool presentations, but at the end of the day some poor schmuck does have to write that "capture the phone calls from Skype" and "exfiltrate the IM messages" code. That super-meta rootkit certainly isn't doing it on its own. It's boring, there is probably XML involved, but so is that CRUD web app that is rewritten thousand times over on every continent of this planet.

DLL injection seems like a perfectly fine hammer in the toolbox for that purpose. Nobody is claiming that they are using it for anything more than targeting specific applications once they have already gained system access. How they got that access might make for more interesting documents.

The CIA is in the business of obtaining information, not malware research.

Would you say that Black Hat talks are representative of the state-of-the-art of malware? Or is it likely that commercial spyware/malware/rootkit authors know "more" than what's presented at Black Hat (or a similar conference)?

It could be disinformation.

> I know it's annoying to hear this, but I'm going to keep saying it: this stuff is silly. The DLL injection stuff in the CIA leaks should embarrass the CIA.

Are you calling Notepad++ or the CIA silly, here?

If the first case (which I assume) you're comically missing the point yourself, which is a big middle finger to a hostile government agency. This is an international Open Source software, used worldwide, that has taken a stance against US politics before (export restrictions).

So yeah maybe it is to embarrass the CIA, but not quite in the way you describe.

By publicly releasing this "fix", they're making a noise calling out LOOK WHAT THE CIA IS DOING PEOPLE, instead of shrugging "eh, is that all, I sure hope they got better exploits from my tax money" and "gosh I wonder why whoever released all this is angry with the US or something, I bet it's cause they're biased".

Now there's a public post on their site, on record, being shared everywhere that says BUGFIX BECAUSE THE CIA ACTIVELY TARGETED OUR SOFTWARE, so that people know this is no longer some "'They' could potentially do X and Y" but that it's actually happening and in this particular case "They" are the CIA.

I think you understand perfectly well how this sends a very different message to a very different (broader) audience than the (admittedly much more serious) revelations at Blackhat conferences. You remember that all these serious capabilities have been around for a long time, but the public didn't really take it seriously because many people believe "they wouldn't really" or the attacks were surely theoretical or otherwise we'd hear more about it, right? Or even when the capabilities have been right there, clear as day, for a decade, to actually assume "They" are really listening on your Samsung Smart TV's microphones (or you name it), has been flat out conspiracy nut territory or at best you could say "surely they only deploy these capabilities on a very small, targeted scale, responsibly".

And now they're not. We know it's happening. New proof of new scandalous breaches of privacy of individual indiscriminate members of the public comes out every other month or so. The whole world knows that the US/UK surveillance apparatus has spiralled out of control and is surveilling, spying and collecting data on everyone, everywhere. To say now, let's not make a big deal out of this because it just confirms what everybody could have known all along, is an idea that should have its motives questioned (by which I mean, you should maybe ask yourself, not that you're doing it deliberately).

Does Notepad++ really believe that with this fix they've successfully defended their software against CIA (or other gov.actor) exploits? Of course not. But they do get to make a big fuss out of it. And that's important too. If the police beat you up, is that something to make a big fuss out of and try to fix and make sure they don't get away with, even if it doesn't help with them still getting away with actually shooting people dead elsewhere? You can argue about that, but I wouldn't call it "silly".

Are there now people who will think "phew at least now Notepad++ is protected against CIA hacks"--well, probably, quite a few. But you're not addressing or helping those people by talking about Blackhat and hypervisor rootkits.

(... and if it's the second case, "silly" is a bit of an understatement given what these people have been up to the past half century or so--it's not actually quite as funny as in the film Burn after reading)

It may be silly, but people need to keep hearing that that CIA is doing an end-around the Bill of Rights.

The cynic in me would assume this is a well played game. Look at us, we can't even use Vi properly, and we use these unsophisticated attacks to break your defenses. Nothing to fear from us, don't worry...

We have ot agreed on many a topic... but I just want to say; I love you and keep doing what you're doing (PROVIDED youre not perpetuating the Deep State) - but yeah, youre sound and I will still keep calling you 'Patrick'

>Here's the rootkits track from Black Hat 2008 --- keep in mind that this is almost a decade old and that it's public work

So, yeah, we're fucked, yes?

They don't even have to be spies; judging by the leak, which had a number of personal and informal comments, CIA employees appear to be people too. I wouldn't be surprised if those working on government malware frequent HN just like you and me.

Yep.

> This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

The CIA attack is an application directory attack, and the application directory is a trusted location on Windows. See: https://blogs.msdn.microsoft.com/oldnewthing/20161013-00/?p=...

I guess the attack allowed them to inject code into a Notepad++ process without breaking the signature on notepad++.exe itself. There's probably some value to the CIA doing this, or they wouldn't have done it (...right?)

Thinking that the author of a text editor should be concerned about the espionage activities of a superpower "is not how things should be".

Useless, yes. Nobody thinks he should solve the problems of the world, that's just a message.

I suppose this could help anyone that is currently being targeted. Once they update it should be obvious that the dll is compromised. Maybe some will come out of the woodwork and show it.

Well theoretically if you had a secure, verified boot chain this would plug a hole in it.

However in practice we don't have a full signed and verified stack.

Microsoft provided backdoor into windows ?

> Kasparsky and McAfee antivirus

if you had high opinions of those programs, you have bigger problems

There's at least two ways.

Right click the file scilexer.dll in your notepad folder and select properties. Then verify the certificate manually.

Another way is to download the same version from the notepad++ website and compare your version with theirs.

Really I wouldn't worry so much as long as you're not a CIA target they have no incentive to spent the time to deploy such a DLL on your system.

Update and run npp? Maybe copy your current dll to make sure it's not overwritten.

He writes that in the release notes:

> Checking the certificate of a DLL makes it harder to hack. Note that once users’ PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.