RE: PGP 7.04 Patch Modifies the Password Cache Setting

["Cohen, Steve" <Steve.Cohen () echostar com>]

Roni,

Thanks for your reply.

One of the problems is that Version 7.1 does have exactly the same problem!

I just tested it, and from what I can tell, the same problem exists here,
too.

I just purchased Version 7.1 this past April.

My only option still seems to be to set the cache to never cache.



Steve

        -----Original Message-----
        From:   Roni_Katz () nai com [SMTP:Roni_Katz () nai com]
        Sent:   Thursday, July 25, 2002 4:15 PM
        To:     Cohen, Steve; bugtraq () securityfocus com
        Subject:        RE: PGP 7.04 Patch Modifies the Password Cache
Setting

        Steve,
        
        Sorry but I couldn't get you point of view

        Why don't you simply make a upgrade? The version 7.1.1 does not have
this problem.

        Regards,
         
        Roni Katz
        Mcafee Systems Engineer
        Network Associates do Brasil - www.nai.com
        Fone: 55 11 5503-0124
        FAX : 55 11 5503-0131
        Fingerprint: D405 12F3 8917 63C2 A3AC 2D4F 06B8 4A3E 10F7 177C
        - Your Network, Our Business
         



        -----Original Message-----
        From: Steve.Cohen () EchoStar Com [ mailto:Steve.Cohen () EchoStar Com
<mailto:Steve.Cohen () EchoStar Com> ]
        Sent: Thursday, July 25, 2002 1:34 PM
        To: bugtraq () securityfocus com
        Subject: PGP 7.04 Patch Modifies the Password Cache Setting
        
        
        
        
        I noticed that the new PGP 7.04 Patch, while addressing the security
issue
        that required Network Associates to issue the patch, also appears to
        affect the Passphrase Cache.
        
        After applying the patch, I noticed that my passphrase cache, while
still
        set to 2:00 minutes, was now functioning as though I had set it to
"Cache
        Passphrase While Logged On."
        
        In other words, no matter how long it had been since I had last
entered my
        passphrase, I could open any PGP e-mail or document without entering
my
        passphrase again.
        
        Checking the Options screen, I discovered that the Passphrase Cache
still
        appeared to be set at 2:00 minutes.
        
        Even setting it to 1 Second did not solve the problem; my passphrase
was
        still cached for as long as I was logged on.
        
        The only way I could find to resolve this problem was to reset the
option
        to NEVER cache my passphrase.
        
        I brought this to the attention of Network Associates, and they WERE
able
        to replicate my findings.
        
        However, their position is that since this is an old and not
currently
        supported version of PGP, they were not going to fix this problem.
        
        According to them, my only option was to upgrade to version 7.1.1,
which
        they feel does not have this problem.
        
        
        I feel that this problem is potentially much more important than the
        problem that required the patch in the first place, since there is a
much
        higher likelihood of a security problem if anyone can read any PGP
e-mail
        or document on your computer by simply opening it up.
        
        I also feel that if Network Associates felt they had to fix their
initial
        security problem with this patch, that they should also have to fix
the
        security problem that their patch caused.