PGP Desktop fails to properly validate objects passed into the PGP Desktop service. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code.
PGP Desktop versions prior to 9.5.1 fail to properly validate objects passed into the PGP Desktop service (PGPServ.exe/PGPsdkServ.exe). This service is installed by PGP Desktop to transport objects and data between the PGP clients and the PGP Desktop service. The PGP Desktop service fails to properly validate user-supplied data. This may allow a remote, authenticated attacker to overwrite arbitrary memory.
A remote, authenticated attacker may be able to execute arbitrary code, possibly with elevated privileges.
PGP has addressed this issue in PGP version 9.5.1 and above.
PGP has provided the following workarounds:
1. Turn off Windows Filesharing. This is the definitive way to eliminate the problem since disabling Windows Filesharing would prevent the attack.
2. Use a third-party Personal Firewall, or the built-in Windows XP SP2 Firewall. Block foreign connections to your RPC/Filesharing services.
Vendor| Status| Date Notified| Date Updated
PGP Corporation| | -| 31 Jan 2007
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
This vulnerability was reported by Peter Winter-Smith of NGSSoftware.
This document was written by Katie Steiner.