The security flaw does not exploit any weaknesses in the encrypting formulas. It enables hackers to exploit a programming flaw in a piece of companion software, called a plug-in, which is used with Microsoft Outlook to encrypt messages with a few mouse clicks.
Attackers can send a specially crafted e-mail to any Outlook address with the PGP plug-in, which will in return give them access to that system. Attackers would then be able to compromise the private key and use it to decrypt e-mail communications.
According to eEye Digital Security, the flaw only affects Microsoft Outlook users.
“It’s not the number of people using PGP but the fact that they’re using it because they’re trying to safeguard their data. Whatever the percentage is, it’s very important data”, a spokesman for eEye told the Wall Street Journal.
He added that the programming flaw was not obvious and there is no evidence that anyone had successfully attacked users of the software.
Network Associates, distributors of the PGP software until February, have made available a free download to fix the software. The company has also suspended new sales of the product, until the problem in existing versions is repaired.