I don’t know enough about Windows app development to answer this. Maybe it replaces the old .exe and the now replaced .exe is just continuing to run from RAM? Maybe there is some restarter.exe program in the same folder that does all the work. In any case, this depends far too much on the Windows update process and how to launch applications.
I just know when I used Windows applications in the past, they were able to restart themselves after updating somehow.
After an update on Windows, you must close the application to clear the RAM before launching the updated exe.
Upon launching the new binary exe, Microsoft will check the code signing certificate and make sure its valid before letting it execute. If its not signed, you will be met with a warning that the binary publisher is unknown, and I believe that Microsoft won’t even let it launch nowadays
that’s all completely irrelevant…, there is already an update mechanism built into NPP: that’s the entire point of the attack… it’s this update mechanism that got hijacked
there are more ways to do signing than paying microsoft boat loads of money… just check a gpg sig file ffs (probably using detached signatures: again, it’s already built into existing tools and it’s a well-known, easily solved problem)
what’s irrelevant is the argument about how the auto update mechanism would work because it already exists
The gpg sig method works great on other operating systems that aren’t Windows or MacOS, but Windows and MacOS do not use that method to verify the authenticity of developer’s certificates.
The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system. The OS will not allow it to run without it being signed.
The malicious actor would not be able to drag and drop their malware in without the Notepad++ certificate. The signature wouldn’t match.
The certificate is not only doing authentication of the developer, but it is also doubling as an integrity check to make sure the code hasn’t been modified.
Windows and MacOS do not use that method to verify the authenticity of developer’s certificates.
completely irrelevant… software authenticity doesn’t have to be provided by your OS… this is an update mechanism that’s built into the software itself. a GPG signature like this would have prevented the hack
The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system
that’s what we’re saying: this update mechanism already exists, and seems to install unsigned software. that’s the entire point of this hack… the technical how it works is irrelevant
I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn’t have to deal with Microsofts method of signing software, but that kind of backfired on them.
the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
No, because you wouldn’t be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft’s security software in the process.
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
adding signing into that existing process without any 3rd party involvement is both free, and very very easy
which is why this is a solved (for free) problem on linux
I don’t know enough about Windows app development to answer this. Maybe it replaces the old .exe and the now replaced .exe is just continuing to run from RAM? Maybe there is some restarter.exe program in the same folder that does all the work. In any case, this depends far too much on the Windows update process and how to launch applications.
I just know when I used Windows applications in the past, they were able to restart themselves after updating somehow.
After an update on Windows, you must close the application to clear the RAM before launching the updated exe.
Upon launching the new binary exe, Microsoft will check the code signing certificate and make sure its valid before letting it execute. If its not signed, you will be met with a warning that the binary publisher is unknown, and I believe that Microsoft won’t even let it launch nowadays
that’s all completely irrelevant…, there is already an update mechanism built into NPP: that’s the entire point of the attack… it’s this update mechanism that got hijacked
If Notepad++ had a valid signing certificate, you wouldn’t be able to run the malicious binary in the update. How is that not relevant?
there are more ways to do signing than paying microsoft boat loads of money… just check a gpg sig file ffs (probably using detached signatures: again, it’s already built into existing tools and it’s a well-known, easily solved problem)
what’s irrelevant is the argument about how the auto update mechanism would work because it already exists
The gpg sig method works great on other operating systems that aren’t Windows or MacOS, but Windows and MacOS do not use that method to verify the authenticity of developer’s certificates.
The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system. The OS will not allow it to run without it being signed.
The malicious actor would not be able to drag and drop their malware in without the Notepad++ certificate. The signature wouldn’t match.
The certificate is not only doing authentication of the developer, but it is also doubling as an integrity check to make sure the code hasn’t been modified.
completely irrelevant… software authenticity doesn’t have to be provided by your OS… this is an update mechanism that’s built into the software itself. a GPG signature like this would have prevented the hack
that’s what we’re saying: this update mechanism already exists, and seems to install unsigned software. that’s the entire point of this hack… the technical how it works is irrelevant
Agreed.
If the updates were signed, then the malicious actor could not push their own updates. It would fail authentication and integrity checks.
yes but as you yourself said
the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
adding signing into that existing process without any 3rd party involvement is both free, and very very easy
which is why this is a solved (for free) problem on linux