PGP users

Discussion in 'other security issues & news' started by ljc1174, Sep 6, 2002.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Aug 15, 2002
    Cleveland, Ohio USA
    This may already be known, but I haven't seen any posting on it, so forgive me if this is old news.
    I noticed a post with PGP and felt the need to share. I just noticed the link on my homepage for one of the news articles, anyway, like I said, if it's old and already known forgive my slowness.

    File-name flaw threatens PGP users

    Security-consulting firm Foundstone said Thursday that e-mail messages encrypted with the Pretty Good Privacy program can be used as digital bullets to attack and take control of a victim's computer.

    Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organization's network," Foundstone said in an advisory.

    see link for complete story
  2. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Hi Lori,

    No need to apologize - and thanks for posting! ;).

    IMHO NAI only screwed PGP - reason the more to stick to the old "Zimmermann" versions, like 6.5.1 or the .ckt versions.

    Things most probably will change for the better as new releases are concerned, now Zimmermann is involved once more, and NAI no longer being involved.


  3. the Tester

    the Tester Registered Member

    Jul 28, 2002
    The Gateway to the Blue Hills,WI.
    That was very informative Paul and Lori.I have heard of PGP,but I am not at all familiar with it.At any rate,I'll steer clear of that program for now.Thank you for the info.
  4. other members may be interested in this article.

    Underflow of búfer in PGP 7.1.1

    By VSAntivirus Writing

    Warning of security: Underflow of búfer in PGP 7.1.1
    Original name: Remotely Exploitable Overflow Buffer in PGP
    Original date: 5/set/02
    Vulnerable application: PGP Corporate Desktop 7.1.1
    Severity: Burden
    Risk: Remote execution of revealed code and of passwords

    A new vulnerability in PGP (Pretty Good Privacy), the popular software of encriptación and coding, allows that an attacker can execute any code in remote form in the computer of that she has installed version 7,1,1 of this application.

    The fault takes place, because noncertifica PGP in all the cases, the length in the name of a file that it is processing.

    This allows that the program fails when the user tries to codify or to desencriptar a document with an excessively long name.

    An attacker could operate this fault in his favor, creating a file name of certain length and format, codifying the document with the public key of the victim, and soon commanding to him to this one this file like associate in an electronic message.

    When the victim tried to desencriptar this file, the excessively long name would surpass the size in the buffer assigned by PGP for its process, causing an underflow of búfer, and what is more critical, executing any code that the attacker has including.

    In certain conditions, this also allows to reveal the password of the attacked user, because the same one is at certain moment in memory, in flat format (that is readable), and is not erased if PGP is hung before it.

    An attacker can use some appropriate tool to capture and soon to be sent to if same these data.

    The attack takes advantage of one of the characteristics that make the cryptographic utilities like PGP so efficient and popular, the availability in Internet of lists with the public keys of the users.

    (more info at the link)
  5. puff-m-d

    puff-m-d Registered Member

    Feb 13, 2002
    North Carolina, USA
    Hello all,

    The best choice IMHO is to use PGP 6.5.8 ckt 09 beta 3. It is very stable (even on XP machines) and these vulnerabilities do not apply to this version.

    You can find it here:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.