Security company eEye Digital Security issued a warning late Wednesday to users of Network Associates' Pretty Good Privacy (PGP) plug-in for Outlook, saying that a vulnerability in the add-on could let attackers execute malicious software on a victim's computer. Network Associates has released a patch for the problem.
The irony of the flaw--it affects the most security conscious of computer users--did not escape Marc Maiffret, chief hacking officer for eEye.
"PGP is such a trusted product," Maiffret said. "It's a product made specifically to stop attackers from accessing your data, and here it is not only not stopping them but making it easier to get in."
The flaw occurs because PGP handles certain malformed e-mails incorrectly, said the eEye advisory. An attacker could send a specially crafted e-mail to an Outlook user who has the PGP plug-in installed and could then be able to access that user's system. Not only could attackers execute hostile programs, they could also steal the victim's private encryption keys and have access to coded communications.
Although he expected PGP users to patch their systems quickly, Maiffret said the danger is somewhat magnified by the fact that not only the sender but also all the recipients of encrypted e-mail have to have patched their PGP plug-in.
"If the person you are sending stuff to has not applied the patch, then you are still at risk," Maiffret said.
Microsoft's Outlook e-mail client has been lambasted in the past for its poor security. This time, however, the problem is not with the program but with a plug-in.
The issue doesn't affect PGP Corporate Desktop users, stated Network Associates in its advisory. The patch is available on the company's Web site.
