Few days ago, I recommended the use of Notepad++ to a close person, and it’s not the first or second time I’ve recommended this veteran app. Next November will be 20 years since it was first released, and although I hadn’t started using it then, I remember coming across it for the first time and adding it to my must have sometime between 2004 and early 2005. Since then, . it was on the list of software I install on every new computer I get my hands on.

However, and for the first time since I met him, I have to be quite critical of its developers, and they’ve known about several vulnerabilities in their software for several months and still haven’t patched them. This in itself is dangerous, but it takes on an even more disturbing dimension when we know that the nature of these vulnerabilities has been public knowledge for several weeks, and that they can therefore be exploited by anyone with the necessary knowledge.

But let’s go to the beginning. In March of this year, Notepad++ version 8.5 was released and A month later, GitHub’s security lab identified a vulnerability in it. The security service, as is common in this type of cases, proceeded to inform the developers of the application and set a deadline for its correction before publishing its essence. This is common practice in responsible disclosure policies, in which the nature of the problem is not disclosed to prevent cybercriminals from exploiting it, but a remediation deadline is set to prevent developers from neglecting the need to fix vulnerabilities.

However, as we can read on the website of this investigation, Four months after the initial communication, those responsible for Notepad++ have still not patched the vulnerabilities. And we can’t say it’s due to lack of activity, since there were several updates released in that time frame (from 8.5.3 to 8.5.6). And only a few weeks after the full disclosure of the vulnerabilities, the 8.5.7 update was released, which finally fixes all these problems.

Being more specific, the full reveal took place on August 21a week after the release of Notepad++ 8.5.6, which preserved this vulnerability, leaving users of the software highly exposed to this security threat until just two days ago when the 8.5.7 update was finally released that puts an end to these issues. But the problem is even worse because, as you can see in the image below, at the time of publishing this news, if you have version 8.5.6 (affected, I recall) installed, the software update system indicates that there is no update available at the moment:

So what remains use the link that goes to the download page, where luckily we find an update that surprisingly doesn’t show up in the program’s update function:

So it goes without saying that if you are a Notepad++ user You should update to this version immediately, otherwise you will face unnecessary risk. And yes, hence the good blow to Don Ho for allowing users of the software he created and maintained for so long to be exposed to this threat. These types of problems can damage the reputation and good image that this app has had for many years, and that would be a real shame, because the prestige it has undoubtedly earned has been earned through great work. flight.