ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

File-name flaw threatens PGP users

Published: 06 Sep 2002 06:56 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Security-consulting firm Foundstone said Thursday that email messages encrypted with the Pretty Good Privacy program can be used as digital bullets to attack and take control of a victim's computer.

Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organisation's network," Foundstone said in an advisory.

The company classified the vulnerability as a high risk "due to the trusting nature of encrypted attachments in email, its relative ease of exploitation and the large amount of corporations and military and government agencies that rely on PGP encryption for secure communication."

The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker Network Associates has posted a patch on its site. The company recently sold all PGP assets to a start-up, PGP Corp., but appears to still be providing support for the program. Neither company could be reached for comment.

The flaw occurs in the way PGP handles long file names in encrypted archives, Network Associates said on its site. PGP runs into problems when it tries to encrypt or decrypt files that have names longer than 200 characters. When PGP attempts to decrypt the files, a buffer overflow causes it to crash.

The long file names aren't readily apparent to a recipient of such an email, said Foundstone chief executive George Kurtz.

"It is just like a ZIP file," Kurtz said. "You can name a file with eight characters, but archived in the file are several other (files) with long file names."

The danger, Kurtz said, is that the flaw could be used to attack users who have the most to protect. "Most users of PGP have some level of security sophistication. It makes it that much more of a high-level attack," Kurtz said. An attacker could "obtain that very valuable information that was meant to be protected by encryption."

The flaw is unrelated to another theoretical vulnerability discussed by security experts last month. Exploiting that flaw, someone could fool the sender of a PGP-encrypted email into decoding their own message. Unlike the current flaw, that vulnerability wouldn't give the attacker control of a computer.

The current vulnerability resembles another flaw in the PGP plug-in for Outlook, found in early July.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
37 out of 101 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Web Developer - HTML, XHTML, CSS

Both the company and their end client are great names/ projects to add to your resume as the agency truly are a leader in their field, who produce ...

Web Developer Needed. Bromley. PHP / My SQL / HTML / CSS 30-40K

My client is one of the most established names in the travel industry. If you are interested please call Claire Okeeffe, Huxley Associates, ...

Flash Developer - Media Agency

One of this media agencies largest clients is one of the worlds leading car manufacturers and you will add a number of household names to you ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Mobile Security Expert: Your Camera Ph...

Mobile Security Expert: Your Camera Phone Got Hacked Author: Eric Everson, Founder MyMobiSafe.com Have you ever heard someone say “I’d like to be a fly on the wall in that room.”?... More

Post a comment

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment