           PGP Freeware Version 7.0.3 Hotfix 1
     for Windows 95, 98, Millenium, NT, and Windows 2000
       Copyright (c) 1990-2001 by Networks Associates 
       Technology, Inc., and its Affiliated Companies. 
  		    All Rights Reserved.

     ----------------------------------------------
     -                HOTFIX 1                    -
     ----------------------------------------------


Thank you for using PGP Freeware Version 7.0.3. This Hotfix.txt 
file contains important information regarding this hotfix release.
Network Associates strongly recommends that you read this 
entire document. Network Associates welcomes your comments and 
suggestions. Please use the information provided in this file to 
contact us.

Warning: Export of this software may be restricted by the U.S.
Government.

___________________
WHAT'S IN THIS FILE

- About this Hotfix
- Issues resolved in this Hotfix
- Installating the Hotfix
- Contacting Network Associates


_________________
ABOUT THIS HOTFIX

This hotfix consists of a single compressed file 
(PGPfreeware703Hotfix1.zip) which you decompress using an 
extraction utility such as Winzip. The zip file contains three
files, PGPexch.dll, PGPsc.dll and PGPhotfix.exe.

______________________________
ISSUES RESOLVED IN THIS HOTFIX

PGP allows the user to verify signed files from the Explorer 
window by double-clicking on the .sig file that represents
the signature on the original file. It is possible for an attacker
to create a .sig file that contains an arbitrary binary file. When
the user double-clicks on the .sig file, the binary file will be 
extracted and written to the current directory.

If the extracted file is a PGP component DLL, it is possible
that a PGP program could load the new DLL instead of the installed
DLL, replacing the normal functionality with the new DLL that the 
attacker created.

This hotfix will force the PGP component DLLs to always load
from the directory they were installed in. Additionally, it will
force a "Save As" dialog for any extracted files with a .dll,
.sys, or .vxd extension.


______________________________
INSTALLATING THE HOTFIX

1.  Extract the files from PGPfreeware703Hotfix1.zip
    into a folder.

2.  Run the program PGPhotfix.exe. This will replace the existing 
    PGPexch.dll and PGPsc.dll on your machine with new versions of 
    these dll's.

3.  Reboot the machine.

4.  You can verify that the hotfix was installed by looking
    for PGPsc.dll in your Windows\System directory
    (for Windows 95/98/ME) or Winnt\System32 directory
    (for Windows NT/2000). Right-click on the file, PGPsc.dll and 
    choose "Properties". Click on the Version tab. The file 
    version should be "7.0.3 Hotfix 1".



