Discussion:
PGP and Adobe Reader
(too old to reply)
David E. Ross
2010-11-24 16:35:43 UTC
Permalink
I have PGP 8.0.3 installed. I never upgraded because I never saw a new
feature of PGP 9.x or 10.x that I would use, and I never saw a report
about any vulnerability or serious bug in PGP 8.0.3.

I have Adobe Reader 9.4 installed. This contains a serious
vulnerability, which is supposedly fixed in Adobe Reader X (10.0.0.1).
See <http://www.kb.cert.org/vuls/id/491991>.

However, Adobe Reader X will NOT operate if any PGP 8.x is installed.
Adobe's solution is that I should install PGP 10.0.3. But the latest
version of PGP 10.0.3 apparently also has a serious vulnerability --
more serious than the one in Adobe Reader 9.4 -- as reported at
<http://www.kb.cert.org/vuls/id/300785>; at least, the date of the
report is after the build date of the PGP 10.0.3 installer that I
downloaded.
--
David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross
David W. Hodgins
2010-11-24 19:28:01 UTC
Permalink
Post by David E. Ross
I have PGP 8.0.3 installed. I never upgraded because I never saw a new
However, Adobe Reader X will NOT operate if any PGP 8.x is installed.
Adobe's solution is that I should install PGP 10.0.3. But the latest
version of PGP 10.0.3 apparently also has a serious vulnerability --
more serious than the one in Adobe Reader 9.4 -- as reported at
<http://www.kb.cert.org/vuls/id/300785>; at least, the date of the
report is after the build date of the PGP 10.0.3 installer that I
downloaded.
The article states the vulnerability applies to 10.0.3 AND earlier
pgp Desktop version, so it appears 8.0.3 is also affected.

As per the article, install 10.0.3 SP2 or "do not use the Decrypt &
Verify shortcut menu available when you right-click an OpenPGP
message file." I'm using gpg on linux, so I'm not sure if there
is a separate download for SP2, of if you have to install 10.0.3,
and then install an update.

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Thor Kottelin
2010-11-25 15:52:29 UTC
Permalink
Post by David W. Hodgins
The article states the vulnerability applies to 10.0.3 AND earlier
pgp Desktop version, so it appears 8.0.3 is also affected.
The article appears to have been somewhat carelessly written in this
respect.

According to PGP Corporation, version 8.1 is not affected. (That is the
only version I asked about.)
--
Thor Kottelin
http://www.anta.net/
David E. Ross
2010-11-26 15:37:08 UTC
Permalink
Post by David E. Ross
I have PGP 8.0.3 installed. I never upgraded because I never saw a new
feature of PGP 9.x or 10.x that I would use, and I never saw a report
about any vulnerability or serious bug in PGP 8.0.3.
I have Adobe Reader 9.4 installed. This contains a serious
vulnerability, which is supposedly fixed in Adobe Reader X (10.0.0.1).
See <http://www.kb.cert.org/vuls/id/491991>.
However, Adobe Reader X will NOT operate if any PGP 8.x is installed.
Adobe's solution is that I should install PGP 10.0.3. But the latest
version of PGP 10.0.3 apparently also has a serious vulnerability --
more serious than the one in Adobe Reader 9.4 -- as reported at
<http://www.kb.cert.org/vuls/id/300785>; at least, the date of the
report is after the build date of the PGP 10.0.3 installer that I
downloaded.
The PGP vulnerability is reported in PGP Advisory SYM10-012 at
<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00.>
and in US-CERT Vulnerability Note VU#300785 at
Post by David E. Ross
The PGP Desktop user interface incorrectly displays
messages with unsigned data as signed. A user will
not be able to distinguish the legitimate signed part
from the malicious unsigned parts.
PGP (now part of Symantec) has a fix for this serious problem. However,
the fix is NOT available to those who use the trial form (freeware) of
PGP 10.0.3. Apparently, there is no plan to make that fix available
except to the paid form of PGP 10.0.3.
--
David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross
jake mccann
2011-01-14 23:35:36 UTC
Permalink
Post by David E. Ross
I have PGP 8.0.3 installed.  I never upgraded because I never saw a new
feature of PGP 9.x or 10.x that I would use, and I never saw a report
about any vulnerability or serious bug in PGP 8.0.3.
I have Adobe Reader 9.4 installed.  This contains a serious
vulnerability, which is supposedly fixed in Adobe Reader X (10.0.0.1).
See <http://www.kb.cert.org/vuls/id/491991>.
However, Adobe Reader X will NOT operate if any PGP 8.x is installed.
Adobe's solution is that I should install PGP 10.0.3.  But the latest
version of PGP 10.0.3 apparently also has a serious vulnerability --
more serious than the one in Adobe Reader 9.4 -- as reported at
<http://www.kb.cert.org/vuls/id/300785>; at least, the date of the
report is after the build date of the PGP 10.0.3 installer that I
downloaded.
The PGP vulnerability is reported in PGP Advisory SYM10-012 at
<http://www.symantec.com/business/security_response/securityupdates/de....>
and in US-CERT Vulnerability Note VU#300785 at
The PGP Desktop user interface incorrectly displays
messages with unsigned data as signed. A user will
not be able to distinguish the legitimate signed part
from the malicious unsigned parts.
PGP (now part of Symantec) has a fix for this serious problem.  However,
the fix is NOT available to those who use the trial form (freeware) of
PGP 10.0.3.  Apparently, there is no plan to make that fix available
except to the paid form of PGP 10.0.3.
--
David E. Ross
<http://www.rossde.com/>.
Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross
I have a similar issue with Adobe Reader X and PGP - a workaround
seems to be setting the compatibility settings to Windows 2000 on the
AcroRead32.exe
David E. Ross
2011-01-15 16:50:12 UTC
Permalink
Post by jake mccann
Post by David E. Ross
Post by David E. Ross
I have PGP 8.0.3 installed. I never upgraded because I never saw a new
feature of PGP 9.x or 10.x that I would use, and I never saw a report
about any vulnerability or serious bug in PGP 8.0.3.
I have Adobe Reader 9.4 installed. This contains a serious
vulnerability, which is supposedly fixed in Adobe Reader X (10.0.0.1).
See <http://www.kb.cert.org/vuls/id/491991>.
However, Adobe Reader X will NOT operate if any PGP 8.x is installed.
Adobe's solution is that I should install PGP 10.0.3. But the latest
version of PGP 10.0.3 apparently also has a serious vulnerability --
more serious than the one in Adobe Reader 9.4 -- as reported at
<http://www.kb.cert.org/vuls/id/300785>; at least, the date of the
report is after the build date of the PGP 10.0.3 installer that I
downloaded.
The PGP vulnerability is reported in PGP Advisory SYM10-012 at
<http://www.symantec.com/business/security_response/securityupdates/de....>
and in US-CERT Vulnerability Note VU#300785 at
Post by David E. Ross
The PGP Desktop user interface incorrectly displays
messages with unsigned data as signed. A user will
not be able to distinguish the legitimate signed part
from the malicious unsigned parts.
PGP (now part of Symantec) has a fix for this serious problem. However,
the fix is NOT available to those who use the trial form (freeware) of
PGP 10.0.3. Apparently, there is no plan to make that fix available
except to the paid form of PGP 10.0.3.
--
David E. Ross
<http://www.rossde.com/>.
Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross
I have a similar issue with Adobe Reader X and PGP - a workaround
seems to be setting the compatibility settings to Windows 2000 on the
AcroRead32.exe
While that worked for Adobe Reader X as a stand-alone application, it
hosed my ability to view PDF files in my browser (SeaMonkey). All I
would get would be a large horizontal progress bar in the middle of my
browser window.

Also, as a stand-alone, I would get frequent error popups about Reader
having a failure and shutting down. However, it did not shut down and
operated okay.

I'm sticking with Reader 9.4 until an "evaluation" PGP 10.1.1 is
available (or whatever PGP evaluation version fixes the Unsigned
Data-Injection Vulnerability).
--
David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
Loading...