Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

NAI Follows Through

A buffer overflow has been discovered by Foundstone in all versions of Pretty Good Privacy Corporate Desktop 7.1. And Network Associates has issued a hot fix.

The overflow occurs when PGP Corporate Desktop tries to decrypt a PGP archive that contains a file name with more than 200 characters. Foundstone was able to run arbitrary code by sending a PGP-encrypted archive containing a long file name using a proof-of-concept exploit the vendor developed.

It's commendable that even though Network Associates is in the process of divesting itself of interests in PGP, it researched the problem and issued a patch. NAI could have passed the problem off to PGP Corp. In the turmoil of a company transition, the vulnerability may not have received the attention it deserved.

That's not to say that NAI jumped on the problem without prodding. Foundstone did have to get to the right person at NAI. But this event serves as a good example of responsible disclosure. All vendors should be so responsive

--Mike Fratto