PGP e-mails may become digital bullets

Jeremy Fowler jfowler at westrope.com
Fri Sep 6 20:11:51 CDT 2002 

http://zdnet.com.com/2100-1105-956815.html

PGP e-mails may become digital bullets

By Robert Lemos
Special to ZDNet News
September 6, 2002, 4:53 AM PT

For more than a decade, the United States government classified encryption
technology as a weapon. Now that label might actually apply.
Security-consulting firm Foundstone said Thursday that e-mail messages encrypted
with the Pretty Good Privacy program can be used as digital bullets to attack
and take control of a victim's computer.

Because of a flaw in the way PGP handles long file names in an encrypted
archive, an attacker could "take control of the recipient's computer, elevating
his or her privileges on the organization's network," Foundstone said in an
advisory.

The company classified the vulnerability as a high risk "due to the trusting
nature of encrypted attachments in e-mail, its relative ease of exploitation and
the large amount of corporations and military and government agencies that rely
on PGP encryption for secure communication."

The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker Network
Associates has posted a patch on its site. The company recently sold all PGP
assets to a start-up, PGP Corp., but appears to still be providing support for
the program. Neither company could be reached for comment.

The flaw occurs in the way PGP handles long file names in encrypted archives,
Network Associates said on its site. PGP runs into problems when it tries to
encrypt or decrypt files that have names longer than 200 characters. When PGP
attempts to decrypt the files, a buffer overflow causes it to crash.

The long file names aren't readily apparent to a recipient of such an e-mail,
said Foundstone CEO George Kurtz.

"It is just like a ZIP file," Kurtz said. "You can name a file with eight
characters, but archived in the file are several other (files) with long file
names."

The danger, Kurtz said, is that the flaw could be used to attack users who have
the most to protect. "Most users of PGP have some level of security
sophistication. It makes it that much more of a high-level attack," Kurtz said.
An attacker could "obtain that very valuable information that was meant to be
protected by encryption."

The flaw is unrelated to another theoretical vulnerability discussed by security
experts last month. Exploiting that flaw, someone could fool the sender of a
PGP-encrypted e-mail into decoding their own message. Unlike the current flaw,
that vulnerability wouldn't give the attacker control of a computer.

The current vulnerability resembles another flaw in the PGP plug-in for Outlook,
found in early July.

More information about the Kclug mailing list