PGP Desktop fails to properly validate objects passed into the PGP Desktop service. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code.
PGP Desktop versions prior to 9.5.1 fail to properly validate objects passed into the PGP Desktop service (PGPServ.exe/PGPsdkServ.exe). This service is installed by PGP Desktop to transport objects and data between the PGP clients and the PGP Desktop service. The PGP Desktop service fails to properly validate user-supplied data. This may allow a remote, authenticated attacker to overwrite arbitrary memory.
A remote, authenticated attacker may be able to execute arbitrary code, possibly with elevated privileges.
PGP has addressed this issue in PGP version 9.5.1 and above.
This vulnerability was reported by Peter Winter-Smith of NGSSoftware.
This document was written by Katie Steiner.
|Date First Published:
|Date Last Updated:
|2007-02-12 09:15 UTC