The usual case for TLS MITM is when a company decides DPI is more important than E2E encryption and they terminate all TLS on the firewall, but if the firewall is compromised there would be much easier avenues of entry other than notepad++
Maybe it was used as some sort of privilege escalation? E.g. NP++ downloads an XML file to %TEMP%, some already present malware modifies it, then GUP downloads a payload and executes it with administrator permissions.
I don’t get how this was exploited in practise.
Even if the signatures on the downloaded packages weren’t checked properly, how would you modify the content of the XML file returned from https://notepad-plus-plus.org/update/getDownloadUrl.php?version=8.8.0 ? For that you’d have to break or MITM the TLS too, no?
The usual case for TLS MITM is when a company decides DPI is more important than E2E encryption and they terminate all TLS on the firewall, but if the firewall is compromised there would be much easier avenues of entry other than notepad++
Maybe it was used as some sort of privilege escalation? E.g. NP++ downloads an XML file to %TEMP%, some already present malware modifies it, then GUP downloads a payload and executes it with administrator permissions.