Re: PGP Plugin for Outlook can send unencrypted messages

From: wcne (webmaster@wireless-ce.com)
Date: 12/26/01 

Date: Wed, 26 Dec 2001 08:34:38 +0200
From: wcne <webmaster@wireless-ce.com>
To: bugtraq@securityfocus.com

Some active mouse implementations can really make this a problem, as the
focus will follow whatever the mouse rolls over. The problem can also
happen when using the tray icon to encrypt & sign the current window. I've
seen it since pgp version 6.5.1, and in windows 95, 98, ME, 2000.

I work-around by using the tray icon rather than the plugin for Outlook
Express for encryption. I can see the message encrypted that way.

----- Original Message -----
From: "Peter Trifonov" <pvthome@hotbox.ru>
To: <bugtraq@securityfocus.com>
Sent: Saturday, December 22, 2001 3:41 PM
Subject: PGP Plugin for Outlook can send unencrypted messages

>
>
> Summary:
>
> If window focus changes while PGP is encrypting a
>
> message encrypted text goes to the wrong window
>
> and message is sent unencryted
>
>
>
> Systems affected:
>
> Discovered on Windows 2000; seems to be the
>
> same on other Windows versions; PGP freeware
>
> 7.0.3
>
>
>
> Explanation:
>
> PGP plugin seems to operate as follows:
>
> When you press the Send button in the Message
>
> window it selects text FROM ACTIVE WINDOW and
>
> passes it to the PGP Engine. It processes it and puts
>
> ciphertext into the ACTIVE WINDOW replacing the
>
> selected text. But if another window becomes active
>
> while encryption goes on ciphertext goes into that
>
> window and original Message window remains
>
> unaffected. PGP plugin decides that encryption is
>
> done and proceeds with message sending.
>
>
>
> Remote attacker can force active window to change,
>
> for example, by sending an ICQ message at the time
>
> of encryption.
>
>
>
> Conclusions:
>
> This bug report has been posted here to warn people
>
> about potential danger coming from easy-to-use
>
> window-button interface to encryption software.
>
> However, it seems to me that the problem can be
>
> easily fixed

Relevant Pages

  • [NT] PGP Plugin for Outlook Can Send Unencrypted Messages
    ... If window focus changes while PGP is encrypting a message, ... ACTIVE WINDOW and passes it to the PGP Engine. ... plugin decides that encryption is done and proceeds with message sending. ...
    (Securiteam)
  • 128-bit encryption
    ... I have a question about the 128-bit encryption. ... upgraded the bank website to 128-bit encryption. ... was instructed to down load the Microsoft Window 2000 128- ... (I tried to upgrade the Win 2000 to XP, I could not, even ...
    (microsoft.public.win2000.security)
  • PGP Plugin for Outlook can send unencrypted messages
    ... message encrypted text goes to the wrong window ... PGP freeware ... ciphertext into the ACTIVE WINDOW replacing the ... PGP plugin decides that encryption is ...
    (Bugtraq)
  • A quick question before I kill myself... (XP EFS)
    ... Before I jump screaming out the window, I thought I'd better check and see ... if there's someone here that can help me with a really sad and embarrassing ... private files with EFS, in case of burglary, etc. ... same password (and I know the password for the encryption) ...
    (microsoft.public.windowsxp.security_admin)