GPG on Window GUI

Peter Kuhm peter.kuhm@plus.at
Thu Dec 27 15:58:02 2001


At 14:52 27.12.01 +0100, Pavel Chovancik wrote:

>I gone through the inet and it seems the best way for me is GPGShell and
>GPGOE.

I'm in the lucky position that I always could drive past M$ OE and neither
know details about GPGOE plug-in behaviour nor OE itself.

Just for my general understanding I want to ask if this problem mentioned
below can become true also with GPG OE plug-in. Does the plug-in user
see if he accidently sends his mail unencrypted?

TIA,
Peter

===SNIP===

Date: Wed, 26 Dec 2001 08:34:38 +0200
From: wcne <webmaster@wireless-ce.com>
Subject: Re: PGP Plugin for Outlook can send unencrypted messages
To: bugtraq@securityfocus.com


Some active mouse implementations can really make this a problem, as the
focus will follow whatever the mouse rolls over.  The problem can also
happen when using the tray icon to encrypt & sign the current window.  I've
seen it since pgp version 6.5.1, and in windows 95, 98, ME, 2000.

I work-around by using the tray icon rather than the plugin for Outlook
Express for encryption.  I can see the message encrypted that way.



----- Original Message -----
From: "Peter Trifonov" <pvthome@hotbox.ru>
To: <bugtraq@securityfocus.com>
Sent: Saturday, December 22, 2001 3:41 PM
Subject: PGP Plugin for Outlook can send unencrypted messages


> Summary:
> If window focus changes while PGP is encrypting a
> message encrypted text goes to the wrong window
> and message is sent unencryted
>
> Systems affected:
> Discovered on Windows 2000; seems to be the
> same on other Windows versions; PGP freeware
> 7.0.3
>
> Explanation:
> PGP plugin seems to operate as follows:
> When you press the Send button in the Message
> window it selects text FROM ACTIVE WINDOW and
> passes it to the PGP Engine. It processes it and puts
> ciphertext into the ACTIVE WINDOW replacing the
> selected text. But if another window becomes active
> while encryption goes on ciphertext goes into that
> window and original Message window remains
> unaffected. PGP plugin decides that encryption is
> done and proceeds with message sending.
>
> Remote attacker can force active window to change,
> for example, by sending an ICQ message at the time
> of encryption.
>
> Conclusions:
> This bug report has been posted here to warn people
> about potential danger coming from easy-to-use
> window-button interface to encryption software.
> However, it seems to me that the problem can be
> easily fixed

===SNAP===