PGP Plug-in Flaw Leaves Encryption Vulnerable

The world’s most popular e-mail encryption tool, PGP (for Pretty Good Privacy), has a flaw that could allow a malicious
hacker to seize control of a user’s machine and access encrypted communications.

The flaw lies in Network Associates Inc.’s (NAI) PGP plug-in for Microsoft’s Outlook e-mail client. It affects NAI PGP Desktop
Security 7.0.4, NAI PGP Personal Security 7.0.3, and NAI PGP Freeware 7.0.3. NAI. It does not affect PGP Corporate Desktop users,
nor does it affect a plug-in for Microsoft’s Outlook Express e-mail client. NAI has made a patch available.

The flaw was uncovered by eEye Digital Security, which said it leaves both a target’s machine and PGP-encrypted communications open
to compromise. It can also be exploited anonymously.

The vulnerability could allow an attacker to overwrite certain heap memory structures used by the PGP plug-in. It does not require
the victim to open an attachment.

Once hackers have infiltrated a victim’s machine, they can leave behind spyware to record keystrokes, steal important information
like financial records, or uncover the public keys used to encrypt e-mails.

News Around the Web