The widely used open-source text and code editor has released version v8.9.2, introducing a major security enhancement known as the “Double-Lock” update mechanism.
This update addresses vulnerabilities that were exploited in a recent state-sponsored attack targeting the application’s update infrastructure.
Last month, Notepad++’s official site confirmed that attackers had successfully hijacked its update channel, allowing the distribution of a malicious update.
Following the incident, the development team promised to fortify the update verification process. That promise has now been fulfilled with the v8.9.2 release.
Strengthening the Update Process
The latest release introduces XMLDSig (XML Digital Signature) verification for update files.
The XML returned by Notepad++’s update server is now cryptographically signed, and both the signature and certificate will be verified before any updates are applied.
This means that, starting with v8.9.2, all future updates will only be accepted if they are verified against trusted Notepad++ certificates.
In addition to this measure, Notepad++ now performs two independent verifications forming what the developers describe as a “Double-Lock” update system:
| Verification Layer | Source | Version | Purpose |
|---|---|---|---|
| XML Signature Verification | Notepad++ official site | v8.9.2 | Verifies signed update metadata (XML) to prevent tampering or spoofed update info. |
| Installer Signature Verification | GitHub | v8.8.9 | Validates installer digital signature to block modified or malicious binaries. |
Together, these measures create a resilient security model that prevents malicious interception or tampering of update files. The development team notes that this design effectively makes the update process “robust and unexploitable.”
WinGUp Auto-Updater Enhancements
The WinGUp auto-updater, which manages update downloads and installations, has also undergone a significant security overhaul.
Key improvements include:
| Category | Improvement | Description |
|---|---|---|
| Update Security | XMLDSig signing | Update XML files from Notepad++ server are digitally signed for integrity verification. |
| Double Verification | Dual update validation | Signed XML (official site) + signed installer from GitHub. |
| Certificate Enforcement | Strict signature checks | Certificates validated before updates install. |
| Auto-Updater Hardening | Removed libcurl.dll | Eliminates DLL side-loading risk. |
| Stronger SSL | Disabled weak cURL options | Enforces stricter TLS/SSL validation. |
| Plugin Control | Signed plugins only | Only plugins signed with official certificate allowed. |
| Stability & Transparency | Bug fixes + public response | Improves stability and maintains open communication post-incident. |
Moreover, users who prefer manual update control can turn off the auto-updater during installation or use the MSI parameter:
msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
