Daily Archives: February 5, 2019

Notepad++ Update Results from Bug Bounty / 7-Zip Updates

====================
Updated: 11th March 2019
====================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Thank you.

====================
Original Post:
====================
On Sunday, 27th January; a new version of Notepad++ was released to address 7 vulnerabilities found by the EU-Free and Open Source Software Auditing (EU-FOSSA). Given that one of the vulnerabilities is potentially remotely exploitable and that Notepad++ is in such wide use both across the world and within the EU; we should update to version 7.6.3 to benefit from the remediation of these vulnerabilities.

TL DR: If you use Notepad++ or 7-Zip, please consider updating them (even if exploits for these vulnerabilities are rare or do not exist):

Other widely used software participating this bug bounty program are listed here (highlights include VLC, Putty, Apache Kafka, KeePass, Drupal, glibc and FileZilla). As I have previously discussed on this blog; if you use a 64 bit version of Windows, please consider using the 64 bit version of Notepad++; here’s why:

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
7-Zip Ranked as Number 5 in outdated software present on systems
=======================
On a separate but related note, earlier this month Avast made available a report that listed the most out of date software typically installed on systems. It was found that 7-Zip ranked number 5 with 92% of installs being out of date:

If you use 7-Zip, please consider upgrading it to version 18.06. I have previously provided descriptions of the vulnerabilities found in 7-Zip in 2018 and 2016 below. In addition; there have been several performance improvements in recent versions making the tool faster than before:

Updating 7-Zip is very easy. You should only download it from its official website. Installing the new version over an existing version takes only seconds.

Thank you.