This may already be known, but I haven't seen any posting on it, so forgive me if this is old news.
I noticed a post with PGP and felt the need to share. I just noticed the link on my homepage for one of the news articles, anyway, like I said, if it's old and already known forgive my slowness.

File-name flaw threatens PGP users

Security-consulting firm Foundstone said Thursday that e-mail messages encrypted with the Pretty Good Privacy program can be used as digital bullets to attack and take control of a victim's computer.

Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organization's network," Foundstone said in an advisory.

see link for complete story
http://msn-cnet.com.com/2100-1001-956815.html?type=pt&part=msn&tag=cdf&form=base&subj=cn_fd

Hi Lori,

No need to apologize - and thanks for posting! ;).

IMHO NAI only screwed PGP - reason the more to stick to the old "Zimmermann" versions, like 6.5.1 or the .ckt versions.

Things most probably will change for the better as new releases are concerned, now Zimmermann is involved once more, and NAI no longer being involved.

regards.

paul

That was very informative Paul and Lori.I have heard of PGP,but I am not at all familiar with it.At any rate,I'll steer clear of that program for now.Thank you for the info.

other members may be interested in this article.


Underflow of búfer in PGP 7.1.1
http://www.vsantivirus.com/vul-pgp711.htm

By VSAntivirus Writing
vsantivirus@videosoft.net.uy

Warning of security: Underflow of búfer in PGP 7.1.1
Original name: Remotely Exploitable Overflow Buffer in PGP
Original date: 5/set/02
Vulnerable application: PGP Corporate Desktop 7.1.1
Severity: Burden
Risk: Remote execution of revealed code and of passwords
Reference: http://www.foundstone.com/advisories


A new vulnerability in PGP (Pretty Good Privacy), the popular software of encriptación and coding, allows that an attacker can execute any code in remote form in the computer of that she has installed version 7,1,1 of this application.

The fault takes place, because noncertifica PGP in all the cases, the length in the name of a file that it is processing.

This allows that the program fails when the user tries to codify or to desencriptar a document with an excessively long name.

An attacker could operate this fault in his favor, creating a file name of certain length and format, codifying the document with the public key of the victim, and soon commanding to him to this one this file like associate in an electronic message.

When the victim tried to desencriptar this file, the excessively long name would surpass the size in the buffer assigned by PGP for its process, causing an underflow of búfer, and what is more critical, executing any code that the attacker has including.

In certain conditions, this also allows to reveal the password of the attacked user, because the same one is at certain moment in memory, in flat format (that is readable), and is not erased if PGP is hung before it.

An attacker can use some appropriate tool to capture and soon to be sent to if same these data.

The attack takes advantage of one of the characteristics that make the cryptographic utilities like PGP so efficient and popular, the availability in Internet of lists with the public keys of the users.

(more info at the link)

Hello all,

The best choice IMHO is to use PGP 6.5.8 ckt 09 beta 3. It is very stable (even on XP machines) and these vulnerabilities do not apply to this version.

You can find it here:
http://freepages.computers.rootsweb.com/~irfaiad/

Regards,
Kent