Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Find a Review
Dads & Grads Gift Guide Audio & Video Business Center Cameras Cell Phones & PDAs Communications Components & Upgrading Desktop PCs DVD & Hard Drives Gaming Hardware & Software HDTV Laptops Macs & iPods Monitors Printers Spyware & Security The PCW Test Center Windows Vista & XP
Resource Centers
Asus Notebook Center
CDW Solution Center
HP Ink Center
Intel Technology Center
Lenovo Laptop Showcase
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Free Newsletters
Receive the latest reviews, how-to's, news, and more.
Security & Privacy
Weekly Brief
Windows Vista
Go
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
RSS Feeds
Get our latest content via convenient RSS feeds.
Latest News
Today @ PC World
Become a PCW Member
Join the community and start enjoying the benefits:
  • Get tech advice from thousands of PC World Members
  • Rate and recommend the latest tech products
  • Share your thoughts in blog and article comments
  • Get free excerpts and exclusive discounts on Super Guides
Signing up is free and easy.
Read More About: EncryptionE-Mail BugsOpen Source

Security Hole Found in GPG Crypto Program

Flaw could allow attacker to place code in signed e-mail.

James Niccolai, IDG News Service

Monday, March 13, 2006 2:00 PM PST
Recommend this story?
Yes
No

PARIS -- Developers of the open-source GnuPG encryption software have reported a security flaw that could allow an attacker to sneak malicious code into a signed e-mail message.

GnuPG, or Gnu Privacy Guard, is an open-source version of the PGP encryption program used for encrypting data and creating digital signatures. It's included with several Linux distributions as well as the open-source FreeBSD operating system, and is also used widely used by the IT security industry.

Vulnerability Details

The vulnerability allows an attacker to take a signed message and insert additional code, which then appears to the recipient as if it were part of the digitally signed content.

"Someone who's able to intercept the message as it's transmitted could inject some data, and then the person who verifies the signature would be told it's a valid, unaltered message," said Thomas Kristensen, chief technology officer with security vendor Secunia, in Copenhagen.

"That's one of the main purposes of the program, so it's quite significant," he added.

The attacker could potentially alter a text file, like a business contract, or an executable file attached to the message, he said. Secunia ranked the flaw as "moderately critical."

It affects all versions of GnuPG prior to 1.4.2.2, and users are advised to upgrade at once to that release. More information is on the GnuPG Web site.

Background

The GnuPG team uncovered the flaw while testing the patch for a previous vulnerability reported last month. That flaw could have led to false positives when verifying signature files. Upgrading to the 1.4.2.2 release fixes that problem as well, the group said.

GPG is "fairly widely used among certain communities," although most people today probably use the encryption features in Microsoft Windows, Kristensen said.

The two recent security holes are unlikely to damage GPG's credibility, he said.

"People know it's still sound in the way it was designed and programmed, most people would consider this a minor oversight that's been corrected in a way you'd expect from a serious open-source project like GPG," Kristensen said.


Recommend this story?
Yes
No
Related Searches: gnupc encryption security security flaw linux

Comments
Related Content
Latest News
EDS Buy Could Give HP Edge Over Dell, Analysts Say
Hewlett-Packard's acquisition of Electronic Data Systems won't hurt Dell in the next few years, but it could affect Dell's... 16-May-2008
Microsoft Pulls Windows Home Server Backup Feature
Microsoft confirms that it has yanked parts of a backup feature from a major upgrade to its Windows Home Server. 16-May-2008
HP Confirms XP SP3 Endless Reboot Snafu, Promises Patch
HP confirms that some users of its AMD-based desktops have had problems after installing Windows XP Service Pack 3. 16-May-2008
Say Goodbye to Muni-Fi
The days of imagining Wi-Fi blanketing a city are over with the exit of the last major municipally focused Wi-Fi service provider. 16-May-2008
Microsoft: Don't Misunderstand UAC, Other Vista Features
In its continued attempt to convince business customers to adopt Vista, Microsoft has outlined and tried to explain some of... 16-May-2008
Sony Reveals 2008-2009 PlayStation Software List
Sony Friday revealed a list of 15 upcoming games for the PlayStation 3, PS2 and PSP. 16-May-2008
HP-EDS Buy, Icahn Strikes Again, China Quakes
This was a big IT news week, with the massive earthquake in China on Monday showing once again the role that the Internet... 16-May-2008
Universal Battery Charger Debuts for Apple Laptops
FastMac on Friday announced its new U-Charge. It's a universal battery charger for Apple laptops and it costs US$69.95; it... 16-May-2008
Optimizing Windows on Your Mac
The June 2008 issue of Macworld includes a feature article on running Windows on your Mac--and how to do it in the most... 16-May-2008
TapDex 3.3.2
Apple's Address Book utility is a handy place to store information for your contacts, especially since it integrates so well... 16-May-2008

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)