vulnerability in Outlook PGP plugin

John S. Denker jsd at monmouth.com
Thu Jul 11 06:59:49 PDT 2002 

http://www.eeye.com/html/Research/Advisories/AD20020710.html

This vulnerability can be exploited by the Outlook user simply
selecting a "malicious" email, the opening of an attachment is 
not required. 
...
[NAI] have released a patch for the latest versions of the PGP
Outlook plug-in to protect systems from this flaw. Users can 
download the patch from:
        
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp


=============================
By TED BRIDIS, Associated Press Writer

 WASHINGTON (AP) - The world's most popular software for scrambling
 sensitive e-mails suffers from a programming flaw that could allow
 hackers to attack a user's computer and, in some circumstances,
 unscramble messages.

 The software, called Pretty Good Privacy, or PGP, is the de facto
 standard for encrypting e-mails and is widely used by corporate and
 government offices, including some FBI ( news - web sites) agents and
 U.S. intelligence agencies. The scrambling technology is so powerful
 that until 1999 the federal government sought to restrict its sale
 out of fears that criminals, terrorists and foreign nations might use
 it.

 The new vulnerability, discovered weeks ago by researchers at eEye
 Digital Security Inc., does not exploit any weakness in the complex
 encrypting formulas used to scramble messages into
 gibberish. Instead, hackers are able to attack a programming flaw in
 an important piece of companion software, called a plug-in, that
 helps users of Microsoft Corp.'s Outlook e-mail program encrypt
 messages with a few mouse clicks.

 Outlook itself has emerged as the world's standard for e-mail
 software, with tens of millions of users inside many of the world's
 largest corporations and government offices. Smaller numbers use the
 Outlook plug-in to scramble their most sensitive messages so that
 only the recipient can read them.

 "It's not the number of people using PGP but the fact that they're
 using it because they're trying to safeguard their data," said Marc
 Maiffret, the eEye executive and researcher who discovered the
 problem. "Whatever the percentage is, it's very important data."

 Maiffret said there was no evidence anyone had successfully attacked
 users of the encryption software with this technique. He said the
 programming flaw was "not totally obvious," even to trained
 researchers examining the software blueprints.

 Network Associates Inc. of Santa Clara, Calif., which until February
 distributed both commercial and free versions of PGP, made available
 on its Web site a free download to fix the software. The company
 announced earlier it was suspending new sales of the software, which
 hasn't been profitable, but moved within weeks to repair the problem
 in existing versions. The company's shares fell 50 cents to $17.70 in
 Tuesday trading on the New York Stock Exchange ( news - web sites).

 Free versions of PGP are widely available on the World Wide Web.

 The flaw allows a hacker to send a specially coded e-mail - which
would appear as a blank message followed by an error warning - and
effectively seize control of the victim's computer. The hacker could
then install spy software to record keystrokes, steal financial
records or copy a person's secret unlocking keys to unscramble their
sensitive e-mails. Other protective technology, such as corporate
firewalls, could make this more difficult.

 "You can do whatever you want - execute code, read e-mails, install a
 backdoor, steal their keys. You could intercept all that stuff,"
 Maiffret said.

 Experts said the convenience of the plug-ins for popular e-mail
 programs broadened the risk from this latest threat, since encryption
 software is famously cumbersome to use without them. Even the creator
 of PGP, Philip Zimmermann, relies on such a plug-in, although
 Zimmermann uses one that works with Eudora e-mail software and does
 not suffer the same vulnerability as Outlook's.

 A plug-in for Microsoft's Outlook Express - a scaled-down version of
 Outlook - is not affected by the flaw.

 Maiffret said his company immediately deactivated the vulnerable
 software on all its computers, which can be done with nine
 mouse-clicks using Outlook, until it could apply the repairs from
 Network Associates. The decision improved security but "makes it kind
 of a pain" to send encrypted e-mails, he said.

 Zimmermann, in an interview, said PGP software is used "quite
 extensively" by U.S. agencies, based on sales when he formerly worked
 at Network Associates. He also said use of the vulnerable companion
 plug-in was widespread. Zimmermann declined to specify which
 U.S. agencies might be at risk, but other experts have described
 trading scrambled e-mails using PGP and Outlook with employees at the
 FBI, the Energy Department and even the super-secret National
 Security Agency.

 In theory, only nonclassified U.S. information would be at risk from
 this flaw. Agencies impose strict rules against transmitting any
 classified messages - encrypted or not - over the Internet, using the
 government's own secret networks instead.

 "The only time the government would use PGP is when it's dealing with
 sensitive but unclassified information and has a reasonable degree of
 assurance that both parties have PGP," said Mark Rasch, a former
 U.S. prosecutor and expert on computer security.  "It's hardly used
 on a routine basis."

 __

 On the Net:

 eEye Digital Security: http://www.eeye.com/

 Network Associates: http://www.nai.com/

 MIT's PGP site: http://web.mit.edu/network/pgp.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cypherpunks-legacy mailing list