Code can be injected into PGP Desktop
A vulnerability in PGP Desktop allows attackers to inject and execute arbitrary code. After PGP Desktop's installation process, two additional services (PGPServ.exe and PGPsdkServ.exe) run on the system; they can be reached both locally and remotely via RPC over "named pipes".
A flaw during the transmission of certain objects allows attackers to inject code into computers and execute it with system rights. To do so, the attacker has somehow to be authenticated; according to service provider NGSSoftware, who discovered the hole, a null session cannot be exploited for this purpose. NGSSoftware does not provide any additional information. Versions 7.x, 8.x and 9.x are affected, whereas the flaw has been remedied starting with version 9.5.1.
- Medium Risk Vulnerability in PGP Desktop, NGSSoftware's security advisory
(ehe)