PGP flaw lets hackers pick Outlook locks
A hole in the PGP encryption add-on for Microsoft's Outlook email client could let attackers launch hostile programs on victims' machines. There's a patch - but it's not that simple to fix
A widely used plug-in for Microsoft's Outlook email client that lets users encrypt and digitally sign messages has inadvertently weakened security and left the mail program open to attack.
Security company eEye Digital Security issued a warning late Wednesday to users of Network Associates' Pretty Good Privacy (PGP) plug-in for Outlook, saying that a vulnerability in the add-on could let attackers execute malicious software on a victim's computer. Network Associates released a patch for the problem Wednesday as well.
The irony of the flaw -- it affects the most security conscious of computer users -- did not escape Marc Maiffret, chief hacking officer for eEye.
"PGP is such a trusted product," Maiffret said. "It's a product made specifically to stop attackers from accessing your data, and here it is not only not stopping them but making it easier to get in."
The flaw occurs because PGP handles certain malformed emails incorrectly, said the eEye advisory. An attacker could send a specially crafted email to an Outlook user who has the PGP plug-in installed and could then be able to access that user's system. Not only could attackers execute hostile programs, they could also steal the victim's private encryption keys and have access to coded communications.
Although he expected PGP users to patch their systems quickly, Maiffret said the danger is somewhat magnified by the fact that not only the sender but also all the recipients of encrypted email have to have patched their PGP plug-in.
"If the person you are sending stuff to has not applied the patch, then you are still at risk," Maiffret said.
Microsoft's Outlook email client has been lambasted in the past for its poor security. This time, however, the problem is not with the program but with a plug-in.
The issue doesn't affect PGP Corporate Desktop users, stated Network Associates in its advisory. The patch is available on the company's Web site.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
|