All Microsoft Windows systems using PGP encryption software
suffer from a critical security vulnerability, according to
researchers at eEye Digital Security, a developer of network
security products. PGP (or Pretty Good Privacy) software is the
most popular public key encryption system for e-mails. It is used
by many corporate and government agencies worldwide, including the
FBI and US intelligence, to protect digital information transferred
on-line.
The security flaw does not exploit any weaknesses in the
encrypting formulas. It enables hackers to exploit a programming
flaw in a piece of companion software, called a plug-in, which is
used with Microsoft Outlook to encrypt messages with a few mouse
clicks.
Attackers can send a specially crafted e-mail to any Outlook
address with the PGP plug-in, which will in return give them access
to that system. Attackers would then be able to compromise the
private key and use it to decrypt e-mail communications.
According to eEye Digital Security, the flaw only affects
Microsoft Outlook users.
“It’s not the number of people using PGP but the fact that
they’re using it because they’re trying to safeguard their data.
Whatever the percentage is, it’s very important data”, a spokesman
for eEye told the Wall Street Journal.
He added that the programming flaw was not obvious and there is
no evidence that anyone had successfully attacked users of the
software.
Network Associates, distributors of the PGP software until
February, have made available a free download to fix the software.
The company has also suspended new sales of the product, until the
problem in existing versions is repaired.
