Vulnerability Note VU#102465

PGP Desktop service fails to validate user supplied data

Original Release date: 31 Jan 2007 | Last revised: 12 Feb 2007


PGP Desktop fails to properly validate objects passed into the PGP Desktop service. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code.


PGP Desktop versions prior to 9.5.1 fail to properly validate objects passed into the PGP Desktop service (PGPServ.exe/PGPsdkServ.exe). This service is installed by PGP Desktop to transport objects and data between the PGP clients and the PGP Desktop service. The PGP Desktop service fails to properly validate user-supplied data. This may allow a remote, authenticated attacker to overwrite arbitrary memory.


A remote, authenticated attacker may be able to execute arbitrary code, possibly with elevated privileges.



PGP has addressed this issue in PGP version 9.5.1 and above.


PGP has provided the following workarounds:

1. Turn off Windows Filesharing. This is the definitive way to eliminate the problem since disabling Windows Filesharing would prevent the attack.
2. Use a third-party Personal Firewall, or the built-in Windows XP SP2 Firewall. Block foreign connections to your RPC/Filesharing services.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
PGP CorporationAffected-31 Jan 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported by Peter Winter-Smith of NGSSoftware.

This document was written by Katie Steiner.

Other Information

  • CVE IDs: CVE-2007-0603
  • Date Public: 25 Jan 2007
  • Date First Published: 31 Jan 2007
  • Date Last Updated: 12 Feb 2007
  • Severity Metric: 4.04
  • Document Revision: 23


If you have feedback, comments, or additional information about this vulnerability, please send us email.