Don't use opensource software.

>flaw in installer
So what, someone ships the installer with malware and installs different files when you double click the exe or something?

Holy mother of all nothingburgers

>>105718199 (OP)
Not my problem, I used chocolatey to install it.

>>105718199 (OP)
I'm more concerned with how you get the installer without reading the author's current thing politics

Why are freetroons like this?

then don't use notepad++

>>105718231
Ok, but why the fuck is the installer running other executables in the same directory?
I imagine that many people run installers from the same directory they download to, so having the installer run other executables could be a bigger problem than you think.

Use neovim or helix you retards

>>105718267
why do troons, better yet, of all kind, feel the need to believe Russia is big bad wolf, when Ukraine literally housed bio warfare labs on the border of Russia

>>105718303
Name 1 possible attack vector for this, in the real world
>please download my zip containing the original notepad++ installer and also these other files, and install notepad++ from it :^)
There's nothing stopping them from just replacing the notepad++ installer with malware

>>105718335
they don't support mouse though

>>105718344
I couldn't give a fuck about Russia vs. Ukraine and I like Taiwan I just don't want to hear about it from my notepad. Do these faggots not realize they are hurting their own cause?

>>105718303
yes, it's a problem. no, you aren't going to be attacked this way.

>>105718303
The installer runs regsvr32.exe which is normally in Windows' system32 folder.
If you have a file with the same name in your folder, it will get execute instead of the legit one.
This is not a bug. It's just how Windows works.

This is true for every program that loads Windows' built-in executables or dlls, not just Notepad++

>>105718359
Ignore the attack vector part.
Why the fuck is it running random executables in the same directory?

>>105718409
>If you have a file with the same name in your folder, it will get execute instead of the legit one.
>This is not a bug. It's just how Windows works.
So they're relying in PATH to execute the correct file.
You can avoid this a number of ways.

>>105718409
wasn't this the default windows behavior for like 25 years?

>>105718426
Yes, it is.

>>105718431
but didn't it get changed in 8/8.1 to where if it's a system dll it won't load it from current directory as first priority anymore?

>>105718414
It's probably looking for a DLL with a specific name and loads it if it's in the same directory or something

>>105718423
Lmao retards like OP will screech about CVEs without even reading or understanding them. This is a complete joke. It doesn't matter if it's open source or closed source how is anybody going to leverage this to own you?

>>105718440
I'm not sure but for things like directx dlls, the program still searches in its working directory first.

>>105718199 (OP)
I just updated notepad through an installer
Am I coocked?

>>105718344
Because Putin and Russia is anti-LGBT

>>105718199 (OP)
why the fuck does an installer for a text editor need SYSTEM permissions? and why are you blaming "opensource software" for a flaw that comes with Windows?

also
>local privesc
>requires user interaction or special conditions
>>105718231

>>105718816
>why the fuck does an installer for a text editor need SYSTEM permissions?
Because it installs to Program Files
Retard alert

>>105718862
>installing a shitty editor requires SYSTEM
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

>>105718199 (OP)
>105718816
dont use windows, unsecure unreliable trannyos.

>>105718816
>why the fuck does an installer for a text editor need SYSTEM permissions?
Registering file type association and adding the context menu. (Edit with Notepad++)

>>105718862
Yeah retards at microsoft.

>>105718199 (OP)
NEVER tick the box that says run this program after installing, it will immediately run the program with admin privileges.

>>105718869
Yeah, just like installing a package to /usr/share requires root privileges on Linux
And before you make a stupid counter argument, Administrator and SYSTEM on Windows are functionally identical

>>105718862
>>105718877
Windows is such a shithole

>>105718933
You'd need to use sudo to do the equivalent same thing on linux doe

>>105718927
>Yeah, just like installing a package to /usr/share requires root privileges on Linux
Except you don't need to install programs to /usr/share
Except you don't need root access to associate file types to a software

>>105718945
Bullshit, read >>105718946

>>105718946
You don't *need* to install programs to a system directory on Windows either. You can check the box in most installers that says "install for all users" to install locally without admin permissions, and it will go to %appdata% instead.

>>105718963
You still need system access to write to the registry and add a context menu.

>>105718955
In both Linux and Windows you can install something system-wide for all users, or locally for the current user, and the former requires root/admin permissions.
This is standard operating system stuff, of all the possible arguments you could make this is the most retarded hill to die on

>>105718972
In any Linux desktop environment I guarantee you need to use root to alter the context menu or change file associations for all users as opposed to just the current user.

>>105718977
are you literally dense or something >>105718972

>>105718877
I see. is that required for system wide association or just for the current user?

>>105718199 (OP)
btw, just in case you retards don't know: this is actually a Windows problem.
https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637
here's one of the earliest cases of this vuln: https://seclists.org/bugtraq/2000/Sep/331

>>105718946
b8. this vulnerability has nothing to do with any of that.

>>105718990
>I guarantee you need to use root to alter the context menu
This would be an absolutely retarded thing to do

>>105718995
Please stop posting, you're embarrassing yourself
>>105719005
That's not what I said

>>105719009
>greentexts you
>I didn't say that
Retard

>>105718990
>I guarantee you need to use root to alter the context menu or change file associations
anon, you are in the technology board. you don't need to "guarantee" anything, you have to prove it, and I'm sure you can do it

>>105718999
>>105718199 (OP)
here's the same vuln affecting itunes (lmao): https://lists.openwall.net/bugtraq/2010/08/18/4

>>105719013
>quotes a cherry picked version of the sentence that leaves out the condition after the conjunction to alter the meaning
Are you illiterate or do you work for a tabloid newspaper? At this point I think you're just ragebaiting me so I'm going to stop replying.
>>105719015
Burden of proof is on you, faggot

>>105719041
>worms
I was referring to everything you wrote, not just the part I greentexted. And I repeat myself: This would an absolutely retard thing to do.

reminder: MrVacBob, aka astrange, is the one making these anti-Linux bait threads. he's an Apple employee and fanboy. that's why even reporting them as flamewars won't get them deleted.

>>105718562
the vulnerability only applies to people who run the installer while there's also a specially crafted file with a certain name in the same directory so no
>>105719053
it would be retarded to use root to make it so all users can double click a .doc file and open libreoffice writer?

>>105719076
yes
Why do you need 3 posts to understand a simple sentence?

>>105718946
you are a stupid fucking retard for whom nobody asked his opinion

>>105719083
so then do you personally run chmod 777 on every directory in /home or something so you can do actions like that without root? genuinely confused at what point you are making here

>>105719088
seethe

>>105718485
Well, that makes any windows executable vulnerable since they're looking for dlls in their folder first

>>105718199 (OP)
damn, maybe if he spent more time working on his software and less time virtue signaling about the latest thing he read on /p/edosky, this never would've happened

>>105719096
File extensions are managed on user level.

>>105719106
>more bait
it's a Windows user. even MS office and itunes were affected at some point

>>105719116
>user
*issue
see >>105718999
>https://seclists.org/bugtraq/2000/Sep/331
and >>105719026
>https://lists.openwall.net/bugtraq/2010/08/18/4

>>105719109
for the local user yeah, I am talking about the very common everyday scenario where YOU as the system administrator are installing a software suite for all users and want to create file associations for all users, unless you're implying that's some kind of security issue? do you want to petition linux distro maintainers to stop requiring root for package manager commands too?

>>105718955
On Linux we have packages instead that are just files and some metadata. Package managers themselves are installed in trusted environment, loading trusted system libraries and if there any security vulnerabilities they're getting quickly fixed as long as your distro is supported.
On Windows installers are just executables that can do any sort of retarded shit, they load libraries from their own directory like any other Windows executable and they don't get updated as long as you don't download new version manually because windows still don't have centralized system for updating software.

>>105719184
If I run `sudo apt install ./shitballs.deb` it will run any install scripts it wants with elevated privileges however

>>105718199 (OP)
lol again? this shit was revealed to be a glownigger backdoor int he Vault 7 leaks

>>105718267
now I fucking KNOW this shit was an intentional backdoor

>>105718405
>i like taiwan
okay moshe
you will never have my foreskin

>>105719207
So what? These install scripts are part of package itself and not some random files that will be executed just because they're in the same folder with the package unlike Notepad++ installer. What's your point?

Who gives a fuck? It's user space software, you already have access to user space if you run it.

>>105719249
>I'm a retarded nigger
I know that. Do you think that is new information to me or something? I already can tell by your typing style that you're a stupid nigger.

>dumb freetard didnt fully qualify his path
>like an actual programmer with more than 36 hours experience would
>this is windows fault honest guize
Don't ever change, /g/.

>>105719272
This behavior is related to PATH (as in the variable), not path

>>105719284
>When you can't win an argument
Obfuscate

>>105719260
It's you retarded nigger wintoddler
And as another anon pointed out you don't need sudo rights to install deb package, you can just extract it into ~/.local folder, point LD_LIBRARY_PATH if needed and application will work just fine, even mimetypes will be properly assigned

>>105719298
Nigga wut
PATH is not obscure

why doesnt windows use a package manager by default? this seems like an oversight

>>105718199 (OP)
I like notepad--. I'd rather give my data to bugs than kikes.

>>105719284
No, this behavior is related to a dumb freetard who didn't fully qualify his path like an actual programmer with more than 36 hours experience would.
I explained this clearly, yet you didn't understand it - making you an even dumber freetard that Shitpad--'s author.

>>105718344
because russia is the one that started the attack and is the one that could easily stop it.

>>105718405
>I just don't want to hear about it from my notepad.
You don't. You only maybe see it once when you download the installer. None of this shows up during updates or day-to-day usage.

>>105719415
actual programmers like those working at apple and microsoft? (>>105719126)

>>105719214
More specifically, the CIA was performing a DLL hijack
https://wikileaks.org/ciav7p1/cms/page_20251107.html
https://wikileaks.org/ciav7p1/cms/page_26968090.html
https://notepad-plus-plus.org/news/v733-fix-cia-hacking-npp-issue/
From the brief reading I've done, it seems like the PC had to be compromised already for the exploit to work.

>>105719388
package managers cause more issues

>>105719298
You're breaking the cardinal rule, anon: never attribute to malice what can be explained by absolute blinding stupidity or ignorance. Never forget that morons, especially the 4chan variety, simply skip words they don't understand. He doesn't know what "fully qualify" means, so he skipped them went straight to "his path".
And surprise surprise, the author fixed it by using a fully-qualified path to regsvr32.exe.
This is a common freetard L, as their glorified 1970s monitor pretending to be an OS relies extensively on the PATH environment variable to find things, because they've never developed any standards whatsoever on where files actually go in the intervening 55 years.
As an aside, it's actually quite fun to throw fake explorer/regsvr32/netsh/notepad EXEs into a folder with freetard shitware, and see how they destroy themselves.

>>105718885
>>105718933
You know that Linux needs sudo for system wide installations too?

>>105718972
WRONG. As long as you use HKEY CURRENT USER instead of HKEY LOCAL MACHINE you don't need admin

>>105718409
God damn windows is a joke

>>105719388
Winget literally just downloads the installer from github and runs it silently.

>>105719578
It's not using fully qualified path, it's still relying on environment variable
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/f2346ea00d5b4d907ed39d8726b38d77c8198f30#diff-580bd403fccfaf7a61c234d50ea837e03e0be90aa79fb7fc1dc34338261b9d72R256

>>105719105
It's called DLL Hijacking.

>>105718199 (OP)
Portable chads don't have this problem.

>>105718344
>feel the need to believe Russia is big bad wolf
Because it is.
>when Ukraine literally housed bio warfare labs on the border of Russia
Nice propaganda you got here Ivan, now go get droned already

>>105718199 (OP)
is it possible to use only proprietary software? like windows is bundles with curl and stuff, macos comes with zsh I believe, android uses loonix kernel obviously, ur web browser is mostly open source

>>105719444
>because russia is the one that started the attack
>thinks it all started in 2022 for no reason at all..

>>105720405
Troon spotted

>>105718364
they do, you dunce

good thing installer is not offensive to sex workers anymore

>>105718364
Even regular vim supports mouse

>>105720955
I was very curious at first how nurses and free sex were connected, until I read to the end.

>>105718231
Wow, its fucking nothing. I remember the days when we had things like mimikatz to get system privileges and even plainext passwords without admin

>>105720836
>it all
the war definitely did. and there was no prior act that directly provoked it

>>105718199 (OP)
this wouldn't have happened on Windows 12 Pro

>>105718231
>Downloads folder - which is known as Vulnerable directory

XDXDXDXDXDXD LMAOOOOOOOO

Lol is the /k/ janny on /g/ now

>>105719214
It was one of many targets on computers that were already infected.
Unless you were already pwned, or copied an installation from an infected computer, you were immune.
If you just downloaded it from official sources like a normal person, you have nothing to worry about.

>>105718231
oh fuck offffffffffff

>requires you to download a malicious file
>requires you to put it in the same folder as the installed
>requires you to grant admin permission
>problem has been a known attack vector for years and is not unique to np++
wow it's fucking nothing

>>105718231
LMAO.
>>105718199 (OP)
Implying closed source was any better.
Also: Who uses the installer. Like why use FOSS and use an installer.

I am so glad I just don't update my systems. Checkmate effortards.

>>105718199 (OP)
>Don't use software made by mentally ill virtue signaling morons who can't shut the fuck up about politics
ftfy

Why do most software devs turn into far-right pro ukraine and politics shit then just go quiet makes more sense why he stopped using X for bluesky to avoid flame.

>>105718199 (OP)
>updates it 15 times a day
>still full of security holes
The fuck are they even doing over there?

>>105718231
>social engineering

So this can basically be prevented with a public awareness campaign advising users what to watch out for.

>>105718199 (OP)
What about Geany?

>>105718199 (OP)
>Care more about politics than making a good program
Many such cases...

>>105718426
Running executables reachable via the PATH environment is actually default DOS behavior, even.
So it's 40+ years old.

Also, afaik / iirc, it's only used when starting a process via a shell - which is not the default when creating a Win 32 child process. If you start a child process the regular way, you actually NEED to supply a full path. And there's a Win32 API to get the system folder - because it doesn't have to reside in C:\Windows of course.

This probably isn't even a problem created by the Notepad++ author themselves, but by whatever people created the installer-toolkit the author used to build his sofware's installer.

>>105718231
Surreptitiously is such a cool word.