9

I've just read the release notes of Notepad++ 7.3.3 and I've discovered that in the recent Wikileaks revelations about the CIA hacking tools there's something affecting Notepad++. The program itself is fine, but it relies on an external DLL, called SciLexer.dll, of which there exists a version that was modified by the CIA and which enables data collection in the background. In light of this, the newest version of Notepad++ checks the signature of that library, and if it isn't the right one, it simply doesn't start.

My problem is that I'm using a pc where I don't have admin privileges and I can't install/update programs myself, and even asking the IT to do it is long because they are allowed to install only some approved versions, and the entire procedure, due to the usual bureaucratic complicacies, could take weeks or months. So, without being able to install the newest version, how can I check whether my version of SciLexer.dll is good? Is there a direct way to check the certificate (maybe using the CertUtil command)? If not, can I take a SHA-256 hash and verify it against a known good one? And which one?

For example, to have the SHA-256 hash of my file I can open a shell and run this command:

certutil -hashfile "C:\Program Files (x86)\Notepad++\SciLexer.dll" SHA256

And its output is:

SHA256 hash of file SciLexer.dll:
ea 47 f3 18 a8 09 6b 0b 37 f0 cf 04 be 07 76 f0 33 80 27 50 57 a6 cc 10 44 28 df 38 3e d7 69 68
CertUtil: -hashfile command completed successfully.

I currently have Notepad++ v6.6.9 and it's running on Windows 7 64 bit Enterprise.

So, how can I verify whether the library installed on my pc is the original one or not?

Fabio says Reinstate Monica
  • 556
  • 1
  • 7
  • 16
  • You most likely don't have anything to worry about. The malware deployed by nation-states is generally targeted at specific individuals/organizations. The more often malware is deployed, the more likely it is to be detected, so organizations like the CIA do not tend to deploy items like this unless it's worth the risk. Do you have any reason to believe that you or the organization you work for would be targeted by the CIA? If not, you should probably not worry about it. – Dan Landberg Mar 13 '17 at 21:31
  • @user52472 No, I have no special reason to be afraid of it, but the products we make do have some value from this point of view... That, and the shock that something as seemingly harmless as a text editor could be used for spying, probably made me overthink it. Thanks for your message! – Fabio says Reinstate Monica Mar 14 '17 at 00:15

1 Answers1

4

From the website of the editor, you can download an archive (zip or 7z) of the version installed on your computer. Check the signature of your archive. Then unpack the archive and compute the checksum of its DLL (using SHA-256 for example) and compare it to the checksum of the installed DLL. Both should be identical.

If the checksum differs, you should post a ticket on your company's helpdesk with your findings. Let the admin find the solution to his issue (replacing the DLL or updating the application).

In the meantime, a portable version of Notepad++ is available on portableapps.com. You should check its DLL too, but you don't need higher privileges to install it.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42