|Biodata SecureDesk not affected by security hole
Email encryption software remains secure.
Singapore, August 23, 2001. - Biodata Information Technology today announces
that the ASCII Armor vulnerability issue poses no threat to Biodata SecureDesk - the only email encryption platform in the world that uses
the two most prevalent international encryption standards, OpenPGP and S/MIME. Employees of @stake, Inc. (www.atstake.com) had
published a possible attack on PGP (Pretty Good Privacy) by Network Associates Inc. (www.nai.com)regarding a weakness in handling
signature files and public keys. The security hole enables an attacker to copy a Trojan to a user's machine and to execute it.
How the vulnerability happens
To exploit the vulnerability, the attacker encodes the malicious code in a signature file or key packet. When analyzing the data, PGP writes the Trojan as a temporary file in the current directory on the hard disk without informing the user.
The Trojan consists of a manipulated Windows DLL (Dynamic Link Library), which has the same file name as a DLL that belongs to the PGP product and that is located in the PGP program files directory. When the PGP user verifies a signature, PGP looks for the DLL first in the current directory before searching the PGP program files directory. Therefore, PGP loads the Trojan instead of the real PGP DLL and allegedly calls a function for signature verification. Due to the execution of this function, the Trojan gets into the context of the current user and gains full control over the local machine and all connected network drives.
Why Biodata SecureDesk is not exposed to this vulnerability
These vulnerabilities cannot be exploited when using Biodata SecureDesk. If binary data is found in a signature file or a key packet, Biodata SecureDesk informs the user; no executable code is written to the hard disk without the user's confirmation.
Furthermore, Biodata SecureDesk links all program DLLs directly with an absolute path. Searching the aforementioned directories is therefore not required, so that only the correct DLL is loaded.
Biodata SecureDesk also enables verification of sender identity. By allowing the option of digitally signing messages, the software eliminates any doubt about the true identity of the sender.
"Biodata customers can relax and continue working with Biodata SecureDesk as usual. No patch is necessary because the product is not vulnerable for this kind of attack", said Mr KK Chan, Country Manager of Biodata Singapore.
Biodata SecureDesk is the only PC based encryption software that encrypts and deciphers both S/MIME and OpenPGP, the two most important encryption protocols. Microsoft declared Biodata SecureDesk a "Packaged Application of the Year" in 2000, due to its unique features and high level of functionality with Microsoft based email platforms.
Technical details about the security issue can be found on the @stake website at http://www.atstake.com/research/advisories/2001/a040901-1.txt
FURTHER INFORMATION CONTACT: