Re: PGP Plugin for Outlook can send unencrypted messages

[wcne <webmaster () wireless-ce com>]

Some active mouse implementations can really make this a problem, as the
focus will follow whatever the mouse rolls over.  The problem can also
happen when using the tray icon to encrypt & sign the current window.  I've
seen it since pgp version 6.5.1, and in windows 95, 98, ME, 2000.

I work-around by using the tray icon rather than the plugin for Outlook
Express for encryption.  I can see the message encrypted that way.



----- Original Message -----
From: "Peter Trifonov" <pvthome () hotbox ru>
To: <bugtraq () securityfocus com>
Sent: Saturday, December 22, 2001 3:41 PM
Subject: PGP Plugin for Outlook can send unencrypted messages


> Summary:
>
> If window focus changes while PGP is encrypting a
>
> message encrypted text goes to the wrong window
>
> and message is sent unencryted
>
>
>
> Systems affected:
>
> Discovered on Windows 2000; seems to be the
>
> same on other Windows versions; PGP freeware
>
> 7.0.3
>
>
>
> Explanation:
>
> PGP plugin seems to operate as follows:
>
> When you press the Send button in the Message
>
> window it selects text FROM ACTIVE WINDOW and
>
> passes it to the PGP Engine. It processes it and puts
>
> ciphertext into the ACTIVE WINDOW replacing the
>
> selected text. But if another window becomes active
>
> while encryption goes on ciphertext goes into that
>
> window and original Message window remains
>
> unaffected. PGP plugin decides that encryption is
>
> done and proceeds with message sending.
>
>
>
> Remote attacker can force active window to change,
>
> for example, by sending an ICQ message at the time
>
> of encryption.
>
>
>
> Conclusions:
>
> This bug report has been posted here to warn people
>
> about potential danger coming from easy-to-use
>
> window-button interface to encryption software.
>
> However, it seems to me that the problem can be
>
> easily fixed