Threatens those with the most to lose
By Robert Lemos
Published: 6 September 2002 17:20 GMT
Email messages encrypted with the Pretty Good Privacy (PGP) program can be used as 'digital bullets' to attack and take control of a victim's computer, according to security consulting firm Foundstone.
Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organisation's network," Foundstone said in an advisory note.
The company classified the vulnerability as a high risk "due to the trusting nature of encrypted attachments in email, its relative ease of exploitation and the large amount of corporations and military and government agencies that rely on PGP encryption for secure communication."
The flaw occurs in the way PGP handles long file names in encrypted archives, Network Associates said on its site. PGP runs into problems when it tries to encrypt or decrypt files that have names longer than 200 characters. When PGP attempts to decrypt the files, a buffer overflow causes it to crash.
The long file names aren't readily apparent to a recipient of such an email, said Foundstone CEO George Kurtz.
"It is just like a ZIP file," Kurtz said. "You can name a file with eight characters, but archived in the file are several other (files) with long file names."
The danger, Kurtz said, is that the flaw could be used to attack users who have the most to protect. "Most users of PGP have some level of security sophistication. It makes it that much more of a high-level attack," Kurtz said. An attacker could "obtain that very valuable information that was meant to be protected by encryption".
The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker Network Associates has posted a patch on its site (http://www.nai.com). The company recently sold all PGP assets to a start-up, PGP Corp., but appears to still be providing support for the program. Neither company could be reached for comment.
The current vulnerability resembles another flaw in the PGP plug-in for Outlook, found in early July.
Robert Lemos writes for News.com
The Software Localisation engineer must have attention to detail and the ability to create and adapt.The Localisation Engineer performs general ...
Identifies and prepares files for localisation. Manages files using version control systems. Generates word counts for files to be translated. ...
Core responsibilities: * Oversee security management and vulnerability program,* Ensure audit logs are monitored daily,* Conduct security awareness ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Is Your Enterprise Architected for Tomorrow's Growth?
Improving IT service delivery through an integrated approach to software asset management...
TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...
Download a Free Trial of SmartDraw: Learn why SmartDraw is the ideal alternative...
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy