• United States
Deputy News Editor

Security hole found in crypto program Gnu Privacy Guard

Mar 13, 20062 mins

Developers of the open source Gnu Privacy Guard encryption software have reported a security flaw that could allow an attacker to sneak malicious code into a signed e-mail message.

GnuPG, or Gnu Privacy Guard, is an open source version of the PGP encryption program used for encrypting data and creating digital signatures. It’s included with several Linux distributions as well as the open source FreeBSD operating system, and is also used widely used by the IT security industry.

The vulnerability allows an attacker to take a signed message and insert additional code, which then appears to the recipient as part of the digitally signed content.

“Someone who’s able to intercept the message as it’s transmitted could inject some data, and then the person who verifies the signature would be told it’s a valid, unaltered message,” says Thomas Kristensen, chief technology officer with security vendor Secunia in Copenhagen.

“That’s one of the main purposes of the program, so it’s quite significant,” he adds.

The attacker could potentially alter a text file such as a business contract, or an executable file attached to the message, he says. Secunia ranked the flaw as “moderately critical.”

It affects all versions of GPG earlier than; users are advised to upgrade at once to that release. More information is on the GPG Web site at

The GPG team uncovered the flaw while testing the patch for a previous vulnerability reported last month. That flaw could have led to false positives when verifying signature files. Upgrading to the release fixes that problem as well, the group says.

GPG is “fairly widely used among certain communities,” although most people today probably use the encryption features in Microsoft Windows, Kristensen says. The two recent security holes are unlikely to damage GPG’s credibility, he adds.

“People know it’s still sound in the way it was designed and programmed, most people would consider this a minor oversight that’s been corrected in a way you’d expect from a serious open source project like GPG,” Kristensen says.