PGP Working On Patch For Encryption Software Flaw
(URL: crn.com
By Marcia Savage
CRN
Santa Clara, Calif.
2:58 PM EST Fri., Aug. 25, 2000
PGP Security, a division of Network Associates, said Friday it is working on fixes for a flaw in its e-mail encryption software that makes it vulnerable to malicious attackers.
The bug was discovered in PGP (pretty good privacy) versions 5.5 through 6.5.3 by researcher Ralf Senderek, according to the CERT center at Carnegie Mellon University.
PGP, based here, says it learned of the bug Thursday morning and had staff working on a patch late into the night. Fixes for the flaw were scheduled to be posted Friday afternoon on PGP's Web site.
The security flaw pertains to a feature in certain versions of the PGP software that allows authorized extra decryption keys to be added to a user's public key certificate, CERT says. The bug allows an attacker to alter the user's public certificate and read messages.
"We're not aware of any customer who has had any data compromised or loss of security because of this bug," says Mike Wallach, president of PGP Security. "We think this is a very low probability and an unlikely scenario, but the possibility exists for someone to target an individual and, if given the right circumstances, to read their encrypted e-mail."
Wallach says the company published the software's source code for peer review with the intention of uncovering flaws and responding to them.
"We expect to have people scrutinize the code and look for vulnerabilities and let us know when they're found," Wallach says. "That's a way for us to know we have the most secure and highest quality encryption."
Wallach says PGP was not notified ahead of time by the researcher who found and published the security flaw. "We don't think that's a proper way for this process to have proceeded," he says.
-------------------------------------------------------------------------------- |
