PGP Flaw Affects Microsoft Outlook

Security researchers have found a vulnerability in several versions of the popular PGP Desktop Security plug-in for Outlook that gives a remote attacker the ability to execute code on vulnerable PCs.

The problem lies in the softwares message decoding functionality, which can be manipulated by an attacker sending a specially formatted e-mail message, resulting in an overwrite of a portion of the heap structure. A successful exploitation of the flaw could result in compromise of the victims machine and any PGP-encrypted communications, according to a bulletin released by eEye Digital Security Inc., which discovered the flaw.

The vulnerability affects versions 7.0.3 and 7.0.4 of the PGP Desktop Security plug-in and version 7.0.3 of the PGP freeware.

The flaw is not in the encryption scheme used by the PGP software but instead lies in the small piece of client software that users of Microsoft Corp.s popular Outlook mail client must use in conjunction with PGP.

This vulnerability is especially dangerous given that the victim would simply need to open the malicious e-mail—without opening any attachments—for the attack to begin.

A patch for the vulnerability is available at the companys Web site.

PGP, now owned by Network Associates Inc., was the first freely available desktop encryption program and is widely used all over the world. Soon after its introduction more than a decade ago, the software gained a cult following among what was then a small community of people on the Internet.

Dozens of similar applications have hit the market since then, but PGP has remained the de facto standard.

As part of an ongoing restructuring effort, NAI, of Santa Clara, Calif., has stopped selling PGP products.

Related Stories:

• Whos Watching Whom?
• More Security Coverage