('binary' encoding is not supported, stored as-is) Summary: If window focus changes while PGP is encrypting a message encrypted text goes to the wrong window and message is sent unencryted Systems affected: Discovered on Windows 2000; seems to be the same on other Windows versions; PGP freeware 7.0.3 Explanation: PGP plugin seems to operate as follows: When you press the Send button in the Message window it selects text FROM ACTIVE WINDOW and passes it to the PGP Engine. It processes it and puts ciphertext into the ACTIVE WINDOW replacing the selected text. But if another window becomes active while encryption goes on ciphertext goes into that window and original Message window remains unaffected. PGP plugin decides that encryption is done and proceeds with message sending. Remote attacker can force active window to change, for example, by sending an ICQ message at the time of encryption. Conclusions: This bug report has been posted here to warn people about potential danger coming from easy-to-use window-button interface to encryption software. However, it seems to me that the problem can be easily fixed
This archive was generated by hypermail 2b30 : Sun Dec 23 2001 - 14:57:52 PST