PGP flaw discovered

Pretty Good Privacy (PGP), the world's most popular software for scrambling sensitive emails, has been found to have a flaw that could allow hackers to attack a user's computer.

PGP is widely used by corporate and government offices, including some FBI agents and US intelligence agencies.

The new vulnerability, discovered by researchers at eEye Digital Security, is based on a programming flaw in a plugin that helps users of Microsoft Outlook encrypt messages with a few mouse clicks.

If a hacker sends a specially coded email - which would appear as a blank message followed by an error warning - it could effectively seize control of the victim's computer.

The hacker could then install spy software to record keystrokes, steal financial records or copy a person's unlocking keys to unscramble their emails.

Marc Maiffret, the eEye executive and researcher who discovered the problem, said there was no evidence that anyone had successfully attacked users of the encryption software with this technique.

He said the programming flaw was "not totally obvious", even to trained researchers examining the software blueprints.

Network Associates - which, until February, distributed both commercial and free versions of PGP - has released a patch for the problem on its website.

The company announced earlier that it was suspending new sales of the software, which hasn't been profitable, but moved within weeks to repair the problem in existing versions.

A plugin for Microsoft's Outlook Express is not affected by the flaw.