Developers of the open source Gnu Privacy Guard encryption software have reported a security flaw that could allow an attacker to sneak malicious code into a signed e-mail message.GnuPG, or Gnu Privacy Guard, is an open source version of the PGP encryption program used for encrypting data and creating digital signatures. It’s included with several Linux distributions as well as the open source FreeBSD operating system, and is also used widely used by the IT security industry.The vulnerability allows an attacker to take a signed message and insert additional code, which then appears to the recipient as part of the digitally signed content.“Someone who’s able to intercept the message as it’s transmitted could inject some data, and then the person who verifies the signature would be told it’s a valid, unaltered message,” says Thomas Kristensen, chief technology officer with security vendor Secunia in Copenhagen. “That’s one of the main purposes of the program, so it’s quite significant,” he adds.The attacker could potentially alter a text file such as a business contract, or an executable file attached to the message, he says. Secunia ranked the flaw as “moderately critical.” It affects all versions of GPG earlier than 1.4.2.2; users are advised to upgrade at once to that release. More information is on the GPG Web site at http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html.The GPG team uncovered the flaw while testing the patch for a previous vulnerability reported last month. That flaw could have led to false positives when verifying signature files. Upgrading to the 1.4.2.2 release fixes that problem as well, the group says.GPG is “fairly widely used among certain communities,” although most people today probably use the encryption features in Microsoft Windows, Kristensen says. The two recent security holes are unlikely to damage GPG’s credibility, he adds.“People know it’s still sound in the way it was designed and programmed, most people would consider this a minor oversight that’s been corrected in a way you’d expect from a serious open source project like GPG,” Kristensen says. Related content news analysis Cisco, AWS further integrate cloud management capabilities Cisco and AWS marry Cisco ThousandEyes and AWS’ CloudWatch Internet Monitor, bolster Cisco Cloud Observability features By Michael Cooney Nov 28, 2023 4 mins Cloud Computing opinion Is anything useful happening in network management? Enterprises see the potential for AI to benefit network management, but progress so far is limited by AI’s ability to work with company-specific network data and the range of devices that AI can see. By Tom Nolle Nov 28, 2023 7 mins Generative AI Network Management Software brandpost Sponsored by HPE Aruba Networking SASE, security, and the future of enterprise networks By Adam Foss, VicePresident Pre-sales Consulting, HPE Aruba Networking Nov 28, 2023 4 mins SASE news AWS launches Cost Optimization Hub to help curb cloud expenses At its ongoing re:Invent 2023 conference, the cloud service provider introduced several new and free updates that are expected to help enterprises optimize their AWS costs. By Anirban Ghoshal Nov 28, 2023 3 mins Amazon re:Invent Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe