Discussion:
Need Patch for PGP 10.0.3 Desktop Trial Version
(too old to reply)
David E. Ross
2010-11-28 19:40:20 UTC
Permalink
There is a serious security vulnerability in PGP 10.0.3 Desktop. This
is reported in PGP Advisory SYM10-012 at
<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00>
and in US-CERT Vulnerability Note VU#300785 at
The PGP Desktop user interface incorrectly displays
messages with unsigned data as signed. A user will
not be able to distinguish the legitimate signed part
from the malicious unsigned parts.
That is, data can be inserted into a previously signed message or file.
The signature will still verify.

A patch is available from PGP for the paid version of PGP 10.0.3
Desktop. Does anyone know how to get the patch for the unpaid trial
version under Windows XP?
--
David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross
David E. Ross
2010-11-30 00:54:19 UTC
Permalink
Post by David E. Ross
There is a serious security vulnerability in PGP 10.0.3 Desktop. This
is reported in PGP Advisory SYM10-012 at
<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00>
and in US-CERT Vulnerability Note VU#300785 at
The PGP Desktop user interface incorrectly displays
messages with unsigned data as signed. A user will
not be able to distinguish the legitimate signed part
from the malicious unsigned parts.
That is, data can be inserted into a previously signed message or file.
The signature will still verify.
A patch is available from PGP for the paid version of PGP 10.0.3
Desktop. Does anyone know how to get the patch for the unpaid trial
version under Windows XP?
In a reply to an E-mail message I sent to PGP Supprt, I was told that I
cannot get the fix for this very serious bug unless I pay for PGP
Desktop. I will thus stay with PGP 8.0.3.
--
David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.
TomT
2010-11-30 20:29:55 UTC
Permalink
Post by David E. Ross
Post by David E. Ross
There is a serious security vulnerability in PGP 10.0.3 Desktop. This
is reported in PGP Advisory SYM10-012 at
<http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00>
and in US-CERT Vulnerability Note VU#300785 at
The PGP Desktop user interface incorrectly displays
messages with unsigned data as signed. A user will
not be able to distinguish the legitimate signed part
from the malicious unsigned parts.
That is, data can be inserted into a previously signed message or file.
The signature will still verify.
A patch is available from PGP for the paid version of PGP 10.0.3
Desktop. Does anyone know how to get the patch for the unpaid trial
version under Windows XP?
In a reply to an E-mail message I sent to PGP Supprt, I was told that I
cannot get the fix for this very serious bug unless I pay for PGP
Desktop. I will thus stay with PGP 8.0.
David - I admit I don't keep up-to-date with the latest problems or
fixes but simply rely on Debian to catch me up with them but is it
possible for you to shift to GPG? IOW, does GPG have the same problem
and, if not, could you shift?

TomT

Loading...