On December 25, 2012, someone published the details of what appeared to be a zero-day vulnerability in Symantec’s PGP Whole Disk Encryption product. After analyzing the POC, Symantec’s engineers confirmed that it was in fact a vulnerability.
However, according to Symantec’s Kelvin Kwan, it’s not something that’s easy to exploit.
For one, it only affects systems running Windows XP and Windows 2003 and the attacker needs to be logged in to trigger the exploit.
Furthermore, the exploit can be triggered only if the system enters an error condition.
“Once in this error condition, the exploit could allow an attacker with lower privileges to run some arbitrary code with higher privileges,” Kwan explained.
Symantec will address this issue with the release of a maintenance pack, most likely in early February.