eEye Digital Security has recently released a vulnerability advisory for PGP v7.0.3. The problem affects only the plugin for Microsoft Outlook (not Outlook Express).
Receiving a malformed email is the method of transmission for this vulnerability. The flaw could potentially be used to gain control of a machine, including remote code execution and/or stealth monitoring/interception of data.
Phil Zimmerman (PGP's creator) left Network Associates (PGP distributor) in 1997, declaring that all versions of the software to be "backdoor-free". Phil is probably trustworthy, but Network Associates is a different story -- after v6.5.8, the code was not released to the public for analysis.
If any of this makes you uncomfortable, here are some places to start doing your own cryptography research (and really, you probably should):
-- Introduction to encryption and practical uses for cryptography
-- 'Certified' (code released) versions of PGP, including v6.5.8
-- Links to PGP information worldwide (PGPi)
-- Standards body developing PGP encyrption standards (OpenPGP)
-- GNU Privacy Guard, an excellent open-source PGP client alternative
0 comments for this entry ↓
There are no comments yet for this entry.
Leave a Comment