PGP Outlook Encryption Plug-in Vulnerability
by Berislav Kucan
Bookmark and Share
eEye staffers Marc Maiffret and Riley Hassell, were again busy on finding the bugs, so a new advisory hit the "streets" today. This time, there is a remote vulnerability in NAI PGP Outlook plug-in which is included in these products: NAI PGP Desktop Security 7.0.4, NAI PGP Personal Security 7.0.3 and NAI PGP Freeware 7.0.3. eEye's information on the vulnerability can be found below (just an overview of the problem, for full advisory click the link below.



Title: Remote PGP Outlook Encryption Plug-in Vulnerability

Link: http://www.net-security.org/vuln.php?id=1857

A vulnerability in the NAI PGP Outlook plug-in can be exploited to remotely execute code on any system that uses the NAI PGP Outlook plug-ins. By sending a carefully crafted email, the message decoding functionality can be manipulated to overwrite various heap structures pertinent to the PGP plug-in.

This vulnerability can be exploited by the Outlook user simply selecting a "malicious" email, the opening of an attachment is not required. When the attack is performed against a target system, malicious code will be executed within the context of the user receiving the email. This can lead to the compromise of the target's machine, as well as their PGP encrypted communications. Also, it should be noted that because of the nature of the SMTP protocol this vulnerability can be exploited anonymously.



Network Associates released a hotfix for this problem:

File: PGPOutlookPluginHotfix_20020710.zip

Size: 90 kb

Platform: Windows 95, 98, ME, NT, 2000, XP

Version: 7.0.3/7.0.4

Date: 07/10/02

Release note:The PGP plug-in for Microsoft Exchange/Outlook can experience a buffer overflow when processing e-mail. This vulnerability makes it theoretically possible for a third party to run malicious code on the affected system. (Note: This issue does not affect PGP Corporate Desktop users.) This hotfix fixes the buffer overflow problem, and removes the potential vulnerability.

Link: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp

Spotlight

What does the future hold for cloud computing?

Posted on 21 July 2014.  |  Cloud computing’s widespread adoption by businesses and consumers alike all but guarantees that, in five to ten years’ time, the technology will still be very much with us.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //