Security Experts:

Connect with us

Hi, what are you looking for?



Researcher Warns of Zero-day Vulnerabilities in Symantec PGP Product

A security researcher has uncovered two zero-day vulnerabilities in Symantec’s desktop encryption product. One of the security issues could potentially be used to trigger the other flaw, he claims.

A security researcher has uncovered two zero-day vulnerabilities in Symantec’s desktop encryption product. One of the security issues could potentially be used to trigger the other flaw, he claims.

Security researcher Nikita Tarakanov says that he uncovered an integer overflow vulnerability in the pgpwded.sys driver distributed with Symantec PGP Whole Disk Encryption 10.2.0 Build 299 (up-to-date), according to a post on text-sharing site Pastebin on Jan. 7. This vulnerability affected all versions of Windows, Tarakanov wrote on Twitter.

“Symantec is aware of the claims about arbitrary code vulnerabilities affecting its PGP Whole Disk Encryption product. These claims are currently being investigated and we have no additional information to share at this time,” a Symantec spokesperson told SecurityWeek.

Tarakanov uncovered this bug days after Symantec downplayed a different vulnerability in PGP Desktop. Over Christmas, Tarakanov had discovered an arbitrary memory overwrite vulnerability in the same driver file for PGP Desktop WDE. If exploited successfully, this flaw would allow malicious code execution.

Symantec acknowledged the vulnerability, but noted that it cannot be easily exploited as certain conditions must first be met. The attacker needs to be logged into a Windows XP or Windows 2003 system, but even so, wouldn’t be able to take advantage of the security issue unless the vulnerable system first encountered an error condition, Symantec said in a post on its Encryption Blog.

An error condition is when a program escapes its execution to report an issue for a developer to monitor and correct, David Schwartzberg, a senior security engineer at Sophos, told SecurityWeek. (Disclosure: Sophos does offer products that compete with some Symantec offerings) Poor programming will result in unmonitored error conditions which can be exploited with malware because the malware will respond to the error thrown, Schwartzberg said.

“It’s not of big concern as the stars need to be aligned for this to be exploited,” wrote Kelvin Kwan, product marketing manager at Symantec.

While difficult, it is possible to craft an attack to execute the zero-day, Schwartzberg said. If the pre-boot authentication option on PGP Desktop WDE is enabled, then there is no way to locally access the device until after the user has successfully logged in. However, if the pre-boot authentication setting is not enabled, “it makes it that much easier to get to Windows,” Schwartzberg said.

Knowing pre-boot authentication is not set, an attacker would be able to take advantage of some other security vulnerability, to run code that forces an error condition. Once there is an error condition, the attacker would be able to bypass PGP’s disk encryption and access the data stored on the drive, Schwartzberg said.

It’s possible the second zero-day vulnerability Taraknov found could be exploited to execute arbitrary code to create that error condition.

“Hope you don’t lose any encrypted laptops with Symantec’s PGP Desktop 10.2.0 Build 2599,” Schwartzberg said.

“The plan is to have a fix in an upcoming maintenance pack. The expected availability of the maintenance pack is early February,” Symantec’s Kwan said, referring to the first arbitrary memory overwrite vulnerability.

Until the maintenance pack is available, the best way to protect user data is to ensure pre-boot authentication is enabled on PGP Desktop so that Windows doesn’t load until after the user logs in, Schwartzberg said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.