Apple, Google, Microsoft, Samsung and other companies quickly responded to the leak of CIA documents with detailed descriptions of hacking tools and dozens of 0day vulnerabilities in popular programs and devices.

One of the first to report last night was the developers of the text editor Notepad ++, which the CIA exploited through the substitution of a DLL . This editor supports syntax highlighting for different programming languages, so even some developers use it.

In the Vault 7 documents there was a mention of replacing DLLs in Notepad ++. More precisely, one of the developers or testers of the exploit complains about a small problem with the work of the finished exploit. As mentioned in this note , Notepad ++ downloads Scintilla, the “code editing component” (separate project) from the SciLexer.dll dynamic library adjacent to the executable file. Only one function is exported from this library called Scintilla_DirectFunction .
')
The expert quotes the open source code of Notepad ++ to determine the prototype of the exported function:

 sptr_t __stdcall Scintilla_DirectFunction(ScintillaWin * sci, UINT iMessage, uptr_t wParam, sptr_t lParam) 

The programmer or tester admits that he is unable to access this function in any way, although he even installed additional plugins that should directly contact Scintilla. At the same time, he makes it clear that the current prototype [with the replacement of the SciLexer.dll library] is working fine - and expresses the hope that colleagues will solve this problem too.

The developers of Notepad ++ literally the next day after the leak of documents released a new version of Notepad ++ 7.3.3 , where they solved the problem of replacing the original DLL with the SciLexer.dll library from the CIA, which is collecting data in the background.

The problem was solved dramatically. Now, from version 7.3.3, the editor will check the certificate of the SciLexer.dll library before loading it. If the certificate is missing or invalid, the library will not be loaded - and Notepad ++ itself will not work.

Certificate verification is not an absolute protection. The developers of the program correctly notice that if an attacker gets access to a computer, then formally he can do anything with system components on it. This protection simply does not allow the text editor to download a malicious library. But no one bothers the CIA to replace, for example, not the library, but the entire executable file notepad++.exe , if the CIA controls the computer.

The developers compare this protective measure with the installation of a lock on the entrance doors. It is clear that the lock on the door does not protect against people who really need to get inside, but still it is customary to lock the door every time you leave the house.

Other popular programs

The hack for Notepad ++ was part of the Fine Dining operation, in which the CIA released exploits for various popular programs. In total, the list of Fine Dining lists modules for 24 applications . For most of them, DLL substitution was carried out.

• VLC Player Portable
• Irfan View
• Chrome Portable
• Opera Portable
• Firefox portable
• ClamWin Portable
• Kaspersky TDSS Killer Portable
• McAfee Stinger Portable
• Sophos Virus Removal
• Thunderbird Portable
• Opera Mail
• Foxit reader
• Libre Office Portable
• Prezi
• Babel pad
• Notepad ++
• Skype
• Iperius backup
• Sandisk secure access
• U3 Software
• 2048
• Lbreakout2
• 7-Zip Portable
• Portable Linux CMD Prompt

Of course, the CIA has much more advanced exploits. For example, with the introduction of a rootkit into the kernel of the operating system, infection of the BIOS, etc. But this example shows that the intelligence officers did not refuse from simpler and less technological methods, such as DLL substitution. Perhaps these simple exploits were developed by novice trainees or third-party contractors.

It is clear that it is impossible to fully protect oneself from surveillance by the government - they have too many resources. But if we are able to close some kind of vulnerability, we need to do this, despite the general uselessness of the process.

One way or another, other software vendors also reported on the measures taken.

Apple said that many of the vulnerabilities in its devices and software that are mentioned in the documents are no longer relevant, that is, they are not in the latest version of iOS. Obviously, the rest of the “holes” will be patched in the next releases.

Microsoft commented : "We are aware of the documents and study them."

Samsung , whose CIA hacked into the F8000 series of televisions, said : "We are aware of the report and are urgently investigating this issue."

The director of information security and privacy at Google has expressed confidence that the latest security updates from Chrome and Android should protect users from most of the vulnerabilities mentioned in the documents: "Our analysis continues and we will implement any necessary protection measures."

UPD: Julian Assange said today that technology companies will have exclusive access to CIA exploits before they are publicly available.