In association with heise online

29 January 2007, 19:05

Code can be injected into PGP Desktop

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in PGP Desktop allows attackers to inject and execute arbitrary code. After PGP Desktop's installation process, two additional services (PGPServ.exe and PGPsdkServ.exe) run on the system; they can be reached both locally and remotely via RPC over "named pipes".

A flaw during the transmission of certain objects allows attackers to inject code into computers and execute it with system rights. To do so, the attacker has somehow to be authenticated; according to service provider NGSSoftware, who discovered the hole, a null session cannot be exploited for this purpose. NGSSoftware does not provide any additional information. Versions 7.x, 8.x and 9.x are affected, whereas the flaw has been remedied starting with version 9.5.1.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit