PGP Plugin for Outlook can send unencrypted messages

[Peter Trifonov <pvthome () hotbox ru>]

Summary:
If window focus changes while PGP is encrypting a 
message encrypted text goes to the wrong window 
and message is sent unencryted

Systems affected:
Discovered on Windows 2000; seems to be the 
same on other Windows versions; PGP freeware 
7.0.3

Explanation:
PGP plugin seems to operate as follows:
When you press the Send button in the Message 
window it selects text FROM ACTIVE WINDOW and 
passes it to the PGP Engine. It processes it and puts 
ciphertext into the ACTIVE WINDOW replacing the 
selected text. But if another window becomes active 
while encryption goes on ciphertext goes into that 
window and original Message window remains 
unaffected. PGP plugin decides that encryption is 
done and proceeds with message sending.

Remote attacker can force active window to change, 
for example, by sending an ICQ message at the time 
of encryption. 

Conclusions:
This bug report has been posted here to warn people 
about potential danger coming from easy-to-use 
window-button interface to encryption software. 
However, it seems to me that the problem can be 
easily fixed