Zero-Day Vulnerability Uncovered in Symantec’s PGP Whole Disk Encryption

The company plans to address the issue sometime in early February

By on January 5th, 2013 10:52 GMT

On December 25, 2012, someone published the details of what appeared to be a zero-day vulnerability in Symantec’s PGP Whole Disk Encryption product. After analyzing the POC, Symantec’s engineers confirmed that it was in fact a vulnerability.

However, according to Symantec’s Kelvin Kwan, it’s not something that’s easy to exploit.

For one, it only affects systems running Windows XP and Windows 2003 and the attacker needs to be logged in to trigger the exploit.

Furthermore, the exploit can be triggered only if the system enters an error condition.

“Once in this error condition, the exploit could allow an attacker with lower privileges to run some arbitrary code with higher privileges,” Kwan explained.

Symantec will address this issue with the release of a maintenance pack, most likely in early February.

Comments