Bugtraq mailing list archives
PGP Plugin for Outlook can send unencrypted messages
From: Peter Trifonov <pvthome () hotbox ru>
Date: 22 Dec 2001 13:41:57 -0000
Summary: If window focus changes while PGP is encrypting a message encrypted text goes to the wrong window and message is sent unencryted Systems affected: Discovered on Windows 2000; seems to be the same on other Windows versions; PGP freeware 7.0.3 Explanation: PGP plugin seems to operate as follows: When you press the Send button in the Message window it selects text FROM ACTIVE WINDOW and passes it to the PGP Engine. It processes it and puts ciphertext into the ACTIVE WINDOW replacing the selected text. But if another window becomes active while encryption goes on ciphertext goes into that window and original Message window remains unaffected. PGP plugin decides that encryption is done and proceeds with message sending. Remote attacker can force active window to change, for example, by sending an ICQ message at the time of encryption. Conclusions: This bug report has been posted here to warn people about potential danger coming from easy-to-use window-button interface to encryption software. However, it seems to me that the problem can be easily fixed
Current thread:
- PGP Plugin for Outlook can send unencrypted messages Peter Trifonov (Dec 23)
- Re: PGP Plugin for Outlook can send unencrypted messages wcne (Dec 26)
- Re: PGP Plugin for Outlook can send unencrypted messages Will Price (Dec 29)