Software flaw afflicts ability to send scrambled e-mails

By Ted Bridis, The Associated Press
Thursday July 11, 2002

WASHINGTON — The world’s most popular software for scrambling sensitive e-mails suffers from a programming flaw that could allow hackers to attack a user’s computer and, in some circumstances, unscramble messages. 

The software, called Pretty Good Privacy, or PGP, is the de facto standard for encrypting e-mails and is widely used by corporate and government offices, including some FBI agents and U.S. intelligence agencies. The scrambling technology is so powerful that until 1999 the federal government sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it. 

The new vulnerability, discovered weeks ago by researchers at eEye Digital Security Inc., does not exploit any weakness in the complex encrypting formulas used to scramble messages into gibberish. Instead, hackers are able to attack a programming flaw in an important piece of companion software, called a plug-in, that helps users of Microsoft Corp.’s Outlook e-mail program encrypt messages with a few mouse clicks. 

Outlook itself has emerged as the world’s standard for e-mail software, with tens of millions of users inside many of the world’s largest corporations and government offices. Smaller numbers use the Outlook plug-in to scramble their most sensitive messages so that only the recipient can read them. 

“It’s not the number of people using PGP but the fact that they’re using it because they’re trying to safeguard their data,” said Marc Maiffret, the eEye executive and researcher who discovered the problem. “Whatever the percentage is, it’s very important data.” 

Maiffret said there was no evidence anyone had successfully attacked users of the encryption software with this technique. He said the programming flaw was “not totally obvious,” even to trained researchers examining the software blueprints. 

Network Associates Inc. of Santa Clara, Calif., which until February distributed both commercial and free versions of PGP, made available on its Web site a free download to fix the software. The company announced earlier it was suspending new sales of the software, which hasn’t been profitable, but moved within weeks to repair the problem in existing versions. The company’s shares fell 50 cents to $17.70 in Tuesday trading on the New York Stock Exchange. 

Free versions of PGP are widely available on the World Wide Web. 

The flaw allows a hacker to send a specially coded e-mail — which would appear as a blank message followed by an error warning — and effectively seize control of the victim’s computer. The hacker could then install spy software to record keystrokes, steal financial records or copy a person’s secret unlocking keys to unscramble their sensitive e-mails. Other protective technology, such as corporate firewalls, could make this more difficult. 

“You can do whatever you want — execute code, read e-mails, install a backdoor, steal their keys. You could intercept all that stuff,” Maiffret said. 

Experts said the convenience of the plug-ins for popular e-mail programs broadened the risk from this latest threat, since encryption software is famously cumbersome to use without them.