[NT] PGP Plugin for Outlook Can Send Unencrypted Messages

From: support@securiteam.com
Date: 12/24/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 24 Dec 2001 15:03:49 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PGP Plugin for Outlook Can Send Unencrypted Messages
------------------------------------------------------------------------

SUMMARY

If window focus changes while PGP is encrypting a message, encrypted text
goes to the wrong window and message is sent unencrypted.

DETAILS

Vulnerable systems:
PGP freeware versions prior and including 7.0.3

PGP plugin seems to operate as follows:
When you press the Send button in the Message window it selects text FROM
ACTIVE WINDOW and passes it to the PGP Engine. It processes it and puts
cipher text into the ACTIVE WINDOW replacing the selected text. However,
if another window becomes active while encryption goes on cipher text goes
into that window and original Message window remains unaffected. PGP
plugin decides that encryption is done and proceeds with message sending.

Remote attacker can force active window to change, for example, by sending
an ICQ message at the time of encryption.

ADDITIONAL INFORMATION

The information has been provided by <mailto:pvthome@hotbox.ru> Peter
Trifonov.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.