Roni, Thanks for your reply. One of the problems is that Version 7.1 does have exactly the same problem! I just tested it, and from what I can tell, the same problem exists here, too. I just purchased Version 7.1 this past April. My only option still seems to be to set the cache to never cache. Steve -----Original Message----- From: Roni_Katz@nai.com [SMTP:Roni_Katz@nai.com] Sent: Thursday, July 25, 2002 4:15 PM To: Cohen, Steve; bugtraq@securityfocus.com Subject: RE: PGP 7.04 Patch Modifies the Password Cache Setting Steve, Sorry but I couldn't get you point of view Why don't you simply make a upgrade? The version 7.1.1 does not have this problem. Regards, Roni Katz Mcafee Systems Engineer Network Associates do Brasil - www.nai.com Fone: 55 11 5503-0124 FAX : 55 11 5503-0131 Fingerprint: D405 12F3 8917 63C2 A3AC 2D4F 06B8 4A3E 10F7 177C - Your Network, Our Business -----Original Message----- From: Steve.Cohen@EchoStar.Com [ mailto:Steve.Cohen@EchoStar.Com <mailto:Steve.Cohen@EchoStar.Com> ] Sent: Thursday, July 25, 2002 1:34 PM To: bugtraq@securityfocus.com Subject: PGP 7.04 Patch Modifies the Password Cache Setting I noticed that the new PGP 7.04 Patch, while addressing the security issue that required Network Associates to issue the patch, also appears to affect the Passphrase Cache. After applying the patch, I noticed that my passphrase cache, while still set to 2:00 minutes, was now functioning as though I had set it to "Cache Passphrase While Logged On." In other words, no matter how long it had been since I had last entered my passphrase, I could open any PGP e-mail or document without entering my passphrase again. Checking the Options screen, I discovered that the Passphrase Cache still appeared to be set at 2:00 minutes. Even setting it to 1 Second did not solve the problem; my passphrase was still cached for as long as I was logged on. The only way I could find to resolve this problem was to reset the option to NEVER cache my passphrase. I brought this to the attention of Network Associates, and they WERE able to replicate my findings. However, their position is that since this is an old and not currently supported version of PGP, they were not going to fix this problem. According to them, my only option was to upgrade to version 7.1.1, which they feel does not have this problem. I feel that this problem is potentially much more important than the problem that required the patch in the first place, since there is a much higher likelihood of a security problem if anyone can read any PGP e-mail or document on your computer by simply opening it up. I also feel that if Network Associates felt they had to fix their initial security problem with this patch, that they should also have to fix the security problem that their patch caused.
