Vulnerability Note VU#102465
PGP Desktop service fails to validate user supplied data
PGP Desktop fails to properly validate objects passed into the PGP Desktop service. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code.
PGP Desktop versions prior to 9.5.1 fail to properly validate objects passed into the PGP Desktop service (PGPServ.exe/PGPsdkServ.exe). This service is installed by PGP Desktop to transport objects and data between the PGP clients and the PGP Desktop service. The PGP Desktop service fails to properly validate user-supplied data. This may allow a remote, authenticated attacker to overwrite arbitrary memory.
A remote, authenticated attacker may be able to execute arbitrary code, possibly with elevated privileges.
PGP has addressed this issue in PGP version 9.5.1 and above.
2. Use a third-party Personal Firewall, or the built-in Windows XP SP2 Firewall. Block foreign connections to your RPC/Filesharing services.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|PGP Corporation||Affected||-||31 Jan 2007|
CVSS Metrics (Learn More)
This vulnerability was reported by Peter Winter-Smith of NGSSoftware.
This document was written by Katie Steiner.
- CVE IDs: CVE-2007-0603
- Date Public: 25 Jan 2007
- Date First Published: 31 Jan 2007
- Date Last Updated: 12 Feb 2007
- Severity Metric: 4.04
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.