Bugtraq mailing list archives
Re: PGP Plugin for Outlook can send unencrypted messages
From: wcne <webmaster () wireless-ce com>
Date: Wed, 26 Dec 2001 08:34:38 +0200
Some active mouse implementations can really make this a problem, as the focus will follow whatever the mouse rolls over. The problem can also happen when using the tray icon to encrypt & sign the current window. I've seen it since pgp version 6.5.1, and in windows 95, 98, ME, 2000. I work-around by using the tray icon rather than the plugin for Outlook Express for encryption. I can see the message encrypted that way. ----- Original Message ----- From: "Peter Trifonov" <pvthome () hotbox ru> To: <bugtraq () securityfocus com> Sent: Saturday, December 22, 2001 3:41 PM Subject: PGP Plugin for Outlook can send unencrypted messages
Summary: If window focus changes while PGP is encrypting a message encrypted text goes to the wrong window and message is sent unencryted Systems affected: Discovered on Windows 2000; seems to be the same on other Windows versions; PGP freeware 7.0.3 Explanation: PGP plugin seems to operate as follows: When you press the Send button in the Message window it selects text FROM ACTIVE WINDOW and passes it to the PGP Engine. It processes it and puts ciphertext into the ACTIVE WINDOW replacing the selected text. But if another window becomes active while encryption goes on ciphertext goes into that window and original Message window remains unaffected. PGP plugin decides that encryption is done and proceeds with message sending. Remote attacker can force active window to change, for example, by sending an ICQ message at the time of encryption. Conclusions: This bug report has been posted here to warn people about potential danger coming from easy-to-use window-button interface to encryption software. However, it seems to me that the problem can be easily fixed
Current thread:
- PGP Plugin for Outlook can send unencrypted messages Peter Trifonov (Dec 23)
- Re: PGP Plugin for Outlook can send unencrypted messages wcne (Dec 26)
- Re: PGP Plugin for Outlook can send unencrypted messages Will Price (Dec 29)