GPG Flaw Allows Attacks Resembling Phishing

The popular encryption software GNU Privacy Guard (GPG) has a critical flaw that enables an attacker to carry out a phishing-like attack that embeds text as portion of a legitimate e-mail, Core Security Technologies said on March 9, 2007.

CoreLabs, Core Security's research wing said that the attackers exploit this vulnerability to add their own content to trustworthy, signed e-mails that mislead the recipients. Moreover the flaw allows attackers to get past filtering defenses like anti-spam and anti-virus tools. Such evasions particularly make it hard to spot the attacks.

The vulnerability affects users of open source e-mail client software like Sylpheed, Evolution, Mutt, KMail and GNUMail. It also impacts on Enigmail, an additional feature for e-mail clients of Mozilla Thunderbird and Mozilla/Netscape. With these e-mail clients, users can reach the authentication and encryption features obtained from GnuPG. GnuPG and Enigmail have made their own revisions to deal with this vulnerability.

The flaw results in risk for users of cryptographic technology to encrypt or authenticate e-mail messages. There was a similar problem with the GnuPG technology in 2006.

GnuPG is a non-chargeable substitution for Pretty Good technology of Privacy cryptographic. An e-mail using OpenPGP cryptography may constitute many sections, which need not require encryption or signature for all of them. E-mail software that fails to correctly present the meaning of the message might indicate false security for that message. This problem is not related to cryptography. It affects the presentation of information to the user and interaction of external applications with GnuPG, Core alerted.

The vulnerability represents subtle decisions for implementation and the interface of data communications across two applications very well. In this particular instance e-mail extensions & GnuPG can cause end users to face unpredictable security weaknesses.

While there haven't been any reports of this exploit, an attack resulting from it is indeed bothersome because it opens a new vector for cyber criminals, Core added. Core's encouragement and support for GnuPG's use continues to enhance the privacy and security of e-communications. Core advises users to turn on the default encryption on every message to prevent attacks on e-mail traffic.

Related article: GPC Holders Beware of phishing Emails - Schriever Air Force Base

» SPAMfighter News - 3/17/2007