Notepad++ 8.5.7 fixes 4 security issues
The developer of the open source plain text editor Notepad++ has released the security update Notepad++ 8.5.7 to the public. The latest update addresses four security issues in the client and introduces changes as well.
Existing users may install the update by selecting the question-mark icon in the Notepad++ interface and then Update Notepad++ from the menu that opens. New users and those who prefer to download the latest version manually find them, as usual, on the official GitHub project website. The project website hosts the portable version as well.
The security fixes
The security issues were reported to the project some time ago and made public recently. One issue, CVE-2023-40031, has a high severity rating, the other three issues, CVE-2023-40036, CVE-2023-40164 and CVE-2023-40166, a medium severity rating.
The issue rated high is a heap buffer write overflow security issue in Utf8_16_Read::convert, which handles conversions between UTF8 and UTF16. Successful exploitation of the issue may lead to arbitrary code execution.
CVE-2023-40031 describes a global buffer read overflow issue. The loading of a specially crafted file could result "in the reading past the bounds of a globally allocated object buffer". The security researcher, who reported the issue, suggested that it had the potential of leaking "internal memory allocation information".
CVE-2023-40036 and CVE-2023-40164 do describe buffer overflow issues as well. The exploitability of the issue "is not clear", according to the researcher, but these could also "be used to leak internal memory allocation information".
The non-security changes in Notepad++ 8.5.7
Notepad++'s uninstall.exe application has been signed, which, by definition, is a security improvement.
The remaining changes are the following ones:
- Fixed a potential memory leak while reading UTF8-16 files.
- Tab dragging performance fixed while the document list is displayed.
- Superrss 2GB file warning option for x64 added.
- Fixed a cloned document disassociation issue after relaunch of the application.
- Fixed a file session saving issue if the file is read-only.
- Fixed an issue that activated incorrect files after loading session files.
- Fixed the display of the product version value in the file's properties.
- Changed the slogan in the installer.
Notepad++ users may want to update to the new version asap to fix the security issues in the text editor. While the issues appear specially crafted files for exploitation, it is still recommended to upgrade immediately.
Now You: which plain text editor do you use?