CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Outlook plug-in could let the hackers in

The Pretty Good Privacy encryption plug-in for Microsoft's Outlook has a flaw that could hand hackers the key to coded e-mails.

A widely used plug-in for Microsoft's Outlook e-mail client that lets users encrypt and digitally sign messages has inadvertently weakened security and left the mail program open to attack.

Security company eEye Digital Security issued a warning late Wednesday to users of Network Associates' Pretty Good Privacy (PGP) plug-in for Outlook, saying that a vulnerability in the add-on could let attackers execute malicious software on a victim's computer. Network Associates released a patch for the problem Wednesday as well.

The irony of the flaw--it affects the most security conscious of computer users--did not escape Marc Maiffret, chief hacking officer for eEye.

"PGP is such a trusted product," Maiffret said. "It's a product made specifically to stop attackers from accessing your data, and here it is not only not stopping them but making it easier to get in."

The flaw occurs because PGP handles certain malformed e-mails incorrectly, said the eEye advisory. An attacker could send a specially crafted e-mail to an Outlook user who has the PGP plug-in installed and could then be able to access that user's system. Not only could attackers execute hostile programs, they could also steal the victim's private encryption keys and have access to coded communications.

Although he expected PGP users to patch their systems quickly, Maiffret said the danger is somewhat magnified by the fact that not only the sender but also all the recipients of encrypted e-mail have to have patched their PGP plug-in.

"If the person you are sending stuff to has not applied the patch, then you are still at risk," Maiffret said.

Microsoft's Outlook e-mail client has been lambasted in the past for its poor security. This time, however, the problem is not with the program but with a plug-in.

The issue doesn't affect PGP Corporate Desktop users, stated Network Associates in its advisory. The patch is available on the company's Web site.