[NT] PGP 7.0 Outlook Plug-in Flaw

From: support@securiteam.com
Date: 01/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  9 Jan 2002 22:07:05 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  PGP 7.0 Outlook Plug-in Flaw
------------------------------------------------------------------------

SUMMARY

Despite the documentation stating otherwise, there appears to be a bug
that causes PGP 7.0 Outlook Plug-in running on Outlook 98 connected to an
Exchange Server to automatically save decrypted messages as decrypted when
the recipient chooses to reply to a PGP encrypted message. This occurs
only when the user has the PGP Mail option to "Automatically
decrypt/verify when opening messages" checked, and "Always use Secure
Viewer when decrypting" is not checked.

DETAILS

Vulnerable systems:
PGP version 7.0 up to version 7.1.1 (not including)

Immune systems:
PGP version 7.1.1

Since the Secure Viewer option is supposed to prevent storage of decrypted
items, it seems clear that the problem is in the "Automatically
decrypt/verify when opening messages" option. The documentation states
"You can save the message in its decrypted state, or you can save the
original encrypted version so that it remains secure.", and this has
always been my experience prior to this configuration/scenario.

If a PGP encrypted message is received, and the recipient opens and
decrypts it, and then closes it, the original message is left encrypted in
the recipient's mailbox. This is as one would expect.

If a PGP encrypted message is received, and the recipient opens, decrypts
and replies, or decrypts and replies to it, the original message is
silently saved to disk decrypted... the user is not prompted as to whether
this action should happen or not.

In the case of the above tests, the message was sent from one user on an
Exchange Server to another user on the same Exchange Server. The Sender
sends from a PST, not the server, and the Recipient stores on the Exchange
Server. The reply is being sent to the originating user. Whether Exchange
is contributing to the problem in this is unknown.

Clearly, this irreversible action, saving the decrypted message just
because it has been replied to, should not be happening. This problem is
not remotely exploitable; instead recipients who reply to PGP encrypted
messages should be aware that their saved copy of the original message is
decrypted.

Workarounds:
Ensure either that the Secure Viewer is always used, or that Automatic
decrypt/verify is not checked.

Vendor response:
Network Associates' PGP Product Management indicates that "All of the
issues you describe, to the extent that they were problems, are already
fixed in the current shipping release: 7.1.1". Application of the
workarounds or upgrades is recommended.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mwiater@BAYSERVE.NET> Mark
Wiater.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.