RealTime IT News

PGP Plug-in Flaw Leaves Encryption Vulnerable

The world's most popular e-mail encryption tool, PGP (for Pretty Good Privacy), has a flaw that could allow a malicious hacker to seize control of a user's machine and access encrypted communications.

The flaw lies in Network Associates Inc.'s (NAI) PGP plug-in for Microsoft's Outlook e-mail client. It affects NAI PGP Desktop Security 7.0.4, NAI PGP Personal Security 7.0.3, and NAI PGP Freeware 7.0.3. NAI. It does not affect PGP Corporate Desktop users, nor does it affect a plug-in for Microsoft's Outlook Express e-mail client. NAI has made a patch available.

The flaw was uncovered by eEye Digital Security, which said it leaves both a target's machine and PGP-encrypted communications open to compromise. It can also be exploited anonymously.

The vulnerability could allow an attacker to overwrite certain heap memory structures used by the PGP plug-in. It does not require the victim to open an attachment.

Once hackers have infiltrated a victim's machine, they can leave behind spyware to record keystrokes, steal important information like financial records, or uncover the public keys used to encrypt e-mails.