I noticed that a CVSS 10 exploit has been released for Notepad++ (http://www.cvedetails.com/cve/CVE-2014-9456/), but I don't see anything in the release notes discussing it. Has this been fixed in current versions? Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If it makes you feel better, I had trouble reproducing this with the POC, and subsequently tried contacting the author of the POC.
I tried contacting him in 5 separate ways (three emails, twitter, & facebook), and got no response. So it might not be a legit issue.
That said, I estimate that there are ~50 issues that are at least as serious/exploitable as this one.
If you're concerned about security, run Notepad++ under Application Verifier (with "Full", "Size", "Protect", "Addr", and "UseLFHGuardPages", - all under "Basics"->"Heap" - enabled). Notepad++ will probably crash on literally every use, but it won't be nearly as vulnerable.
Yes, every crash under Application Verifier represents an actual bug. Yes, there are that many bugs in Notepad++.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I noticed that a CVSS 10 exploit has been released for Notepad++ (http://www.cvedetails.com/cve/CVE-2014-9456/), but I don't see anything in the release notes discussing it. Has this been fixed in current versions? Thanks.
Anyone?
If it makes you feel better, I had trouble reproducing this with the POC, and subsequently tried contacting the author of the POC.
I tried contacting him in 5 separate ways (three emails, twitter, & facebook), and got no response. So it might not be a legit issue.
That said, I estimate that there are ~50 issues that are at least as serious/exploitable as this one.
If you're concerned about security, run Notepad++ under Application Verifier (with "Full", "Size", "Protect", "Addr", and "UseLFHGuardPages", - all under "Basics"->"Heap" - enabled). Notepad++ will probably crash on literally every use, but it won't be nearly as vulnerable.
Yes, every crash under Application Verifier represents an actual bug. Yes, there are that many bugs in Notepad++.