A malicious e-mail can create a buffer overrun in Network Associates' PGP plugin for MS Outlook on Windows, which in turn can be used to run arbitrary code with the user's level of privilege. At a minimum this could compromise the user's passphrase and expose his encrypted messages, and at a maximum surrender control of the machine. Attachments do not need to be activated; merely selecting the malicious message is sufficient.

PGP Desktop Security 7.0.4, Personal Security 7.0.3 and Freeware 7.0.3 are affected. NAI has a hotfix posted here (http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp). The issue was discovered by eEye (http://www.eEye.com)'s Marc Maiffret. ®