Some active mouse implementations can really make this a problem, as the focus will follow whatever the mouse rolls over. The problem can also happen when using the tray icon to encrypt & sign the current window. I've seen it since pgp version 6.5.1, and in windows 95, 98, ME, 2000. I work-around by using the tray icon rather than the plugin for Outlook Express for encryption. I can see the message encrypted that way. ----- Original Message ----- From: "Peter Trifonov" <pvthome@hotbox.ru> To: <bugtraq@securityfocus.com> Sent: Saturday, December 22, 2001 3:41 PM Subject: PGP Plugin for Outlook can send unencrypted messages > > > Summary: > > If window focus changes while PGP is encrypting a > > message encrypted text goes to the wrong window > > and message is sent unencryted > > > > Systems affected: > > Discovered on Windows 2000; seems to be the > > same on other Windows versions; PGP freeware > > 7.0.3 > > > > Explanation: > > PGP plugin seems to operate as follows: > > When you press the Send button in the Message > > window it selects text FROM ACTIVE WINDOW and > > passes it to the PGP Engine. It processes it and puts > > ciphertext into the ACTIVE WINDOW replacing the > > selected text. But if another window becomes active > > while encryption goes on ciphertext goes into that > > window and original Message window remains > > unaffected. PGP plugin decides that encryption is > > done and proceeds with message sending. > > > > Remote attacker can force active window to change, > > for example, by sending an ICQ message at the time > > of encryption. > > > > Conclusions: > > This bug report has been posted here to warn people > > about potential danger coming from easy-to-use > > window-button interface to encryption software. > > However, it seems to me that the problem can be > > easily fixed
