You are here: silicon.com > Software > Security Strategy

Security Strategy

PGP flaw turns emails into 'digital bullets'

Threatens those with the most to lose

Printer Friendly Email Story RSS

By Robert Lemos

Published: 6 September 2002 17:20 BST

Email messages encrypted with the Pretty Good Privacy (PGP) program can be used as 'digital bullets' to attack and take control of a victim's computer, according to security consulting firm Foundstone.

Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organisation's network," Foundstone said in an advisory note.

The company classified the vulnerability as a high risk "due to the trusting nature of encrypted attachments in email, its relative ease of exploitation and the large amount of corporations and military and government agencies that rely on PGP encryption for secure communication."

The flaw occurs in the way PGP handles long file names in encrypted archives, Network Associates said on its site. PGP runs into problems when it tries to encrypt or decrypt files that have names longer than 200 characters. When PGP attempts to decrypt the files, a buffer overflow causes it to crash.

The long file names aren't readily apparent to a recipient of such an email, said Foundstone CEO George Kurtz.

"It is just like a ZIP file," Kurtz said. "You can name a file with eight characters, but archived in the file are several other (files) with long file names."

The danger, Kurtz said, is that the flaw could be used to attack users who have the most to protect. "Most users of PGP have some level of security sophistication. It makes it that much more of a high-level attack," Kurtz said. An attacker could "obtain that very valuable information that was meant to be protected by encryption".

The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker Network Associates has posted a patch on its site (http://www.nai.com). The company recently sold all PGP assets to a start-up, PGP Corp., but appears to still be providing support for the program. Neither company could be reached for comment.

The current vulnerability resembles another flaw in the PGP plug-in for Outlook, found in early July.

Robert Lemos writes for News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Related Links

Zimmermann hits back at 'terrorist aid' accusations

Pretty Good Privacy pretty much dead

PGP defect reveals encrypted messages

Open File Backups: How BackupAssist Handles Open Files in Windows NT, 2000, XP and 2003

Microsoft finds malicious attack flaw

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Peter Cochrane Peter Cochrane's Blog: Is convergence a fiction? Or could it finally be happening…

Clive Longbottom Quocirca's Straight Talking: A game of two halves Microsoft Virtualisation scores while its SOA bores...


Has Barclays stamped out fraud with PINsentry?

Courts to save millions with streamlined tech

Soham report IT systems still not in place

RIM warns on BlackBerry PDF flaw

Privacy chief fights UK-wide database

Coming soon - malware threats to iPhone 2.0?



  • Jobs
WebMaster opportunities-one of the Worlds leading Sports & Media Co\'s

My client is a Global Media and Sports Company who works with the world's leading marketing and media Companies - they specialising in offering ...

Backup Administrator ( Windows, Linux, Veritas, Legato, Netbackup, Omniback ) - West London

Windows environment  Basic knowledge of TCP/IP and DNS  Previous experience and understanding of backup system such as: o File system ...

Clinical Trial Associate / CTA - South - East - Global Pharmaco

You will be supporting the associate director and project manager on activities such as preparing documents to submit to the ethics committee and ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.

Law firm gets SaaSy with email security

Taylor Woodrow heads for the cloud

College classrooms go high-tech

Customer Perspective: Tata Telecom

eVerge Takes on the Competition With PeopleSoft ESA for Professional Services

Microsoft Dynamics GP Demo

MSDN Webcast: Demystifying Office Business Applications for the Developer (Level...

Stories from the web...


Peter Cochrane's Video Blog: For whom the bell tolls

60-Second Pitch: FMC

Peter Cochrane's Video Blog: Power outrage


The £500k hunt for missing HMRC discs

Beeb appoints new iPlayer chief

Indian outsource giants feeling the pinch

Has Barclays stamped out fraud with PINsentry?

Number of free ATMs to increase by a third




Quick Sitemap Links: