A popular encryption software used by some government agencies and business to safeguard e-mail from prying eyes has a hole that could let outsiders take over their systems, a security expert says.
The vulnerability, for which a fix has been devised that users can download, compromises a corporate version of PGP, or Pretty Good Privacy, one of the best known encryption systems, when used with an e-mail program like Microsoft`s Outlook. PGP allows users to encrypt messages so that only the intended recipient can read them.
The new vulnerability, or exploit, uses a common type of attack, called a buffer overflow, that bombards a program with more information than it can handle.
"The exploit would do anything we wanted," George Kurtz, chief executive of Foundstone, a consulting and security firm which found the vulnerability, said Thursday.
Because PGP is used by government and security companies: "This can really be used on the elite of the elite," he said.
Foundstone built an attack, or exploit, which could allow an outsider to gain access to a target computer if the user decrypted a modified file, sent by e-mail, using the PGP Corporate Desktop, he said.
Jon Callas, chief technology officer of PGP Corp, which owns PGP Corporate desktop, said he had not seen the exploit but that generally, "it is much easier to crash something than do something that is really useful".
He said the danger seemed moderate to serious, and that the risk of losing a pass code was serious. Users should install security patches as a matter of course, he added.
Foundstone alerted security software firm Network Associates, which has posted a fix for the PGP Corporate Desktop on its Web site, nai.com. Network Associates last month sold most of the PGP assets to newly founded PGP.
Share