CIA hacking SciLexer.dll

[PawelTroka]

I have just read about bug-fix made in Notepad++ 7.3.3 for CIA hacking SciLexer.dll Since ScintillaNET is also using this component I thought that maybe some similar bug-fix should be introduced here. See: https://wikileaks.org/ciav7p1/cms/page_26968090.html https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html https://notepad-plus-plus.org/community/topic/13415/v7-3-3-fix-cia-hacking-notepad-issue/7 https://github.com/notepad-plus-plus/notepad-plus-plus/issues/3002 https://github.com/notepad-plus-plus/notepad-plus-plus/commit/b869163609473f05c4f5d1d72a579b9f6af66ccd

[jacobslusser]

Actually, I read the story when it broke several weeks ago. What the hack boils down to is replacing one or more of the DLLs used in Notepad++ with modified ones. This issue is hardly specific to Notepad++. Any program in Windows that uses DLLs can potentially have this problem.

The fix that the Notepad++ team has decided to implement is to check the DLL signature before loading it. It shouldn't be too difficult to do the same in ScintillaNET and I have no problem adding that to the backlog.

Be aware that for this to truly make a difference in an application, developers need to also used the signed version of ScintillaNET and make sure their application is only using and requires signed, strong-named DLLs. Otherwise, we would go to all the trouble of making sure we have the right SciLexer.dll, but the application itself is not checking the ScintillaNET DLL.

Finally, be aware that there is no fix if someone wants to replace the application EXE with a modified one.