Re: EEYE: Remote PGP Outlook Encryption Plug-in Vulnerability

From: Rob MacGregor (rob_macgregor@HOTMAIL.COM)
Date: 07/11/02 

Date:         Thu, 11 Jul 2002 17:30:27 +0000
From: Rob MacGregor <rob_macgregor@HOTMAIL.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

>From: Marc Maiffret <marc@EEYE.COM>
>
>Remote PGP Outlook Encryption Plug-in Vulnerability
>
>Release Date:
>July 10, 2002
>
>Severity:
>High (Remote Code Execution)
>
<---SNIP--->
>
>Vendor Status: NAI has worked quickly to safeguard customers against this
>vulnerability. They have released a patch, for the latest versions of the
>PGP Outlook plug-in, to protect systems from this flaw. You may download
>the
>patch from:
>http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
>Note: This issue does not affect PGP Corporate Desktop users.

I've downloaded and installed the patch at the above URL. However the
content of the patch appears to be incorrect.

The README states:
    You should see the following information:

    File Version: 7.0.5.0
    Product Version: 7.0.5
    Build Number: 104

However the actual file installed is:

    File Version: 7.0.4.0
    Product Version: 7.0.4
    Build Number: Hotfix 2

If somebody's got contacts in NAI they might want to warn them that they
appear to be shipping a non-patch...

    Please don't CC me on anything sent to mailing lists or send
        me email directly unless it's a privacy issue, thanks. 

--
Rob  |  Ask questions the smart way:
                http://www.tuxedo.org/~esr/faqs/smart-questions.html

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com