Core Security Uncovers Vulnerability

Core Security issued an advisory disclosing a flaw in the GNU Privacy Guard

Dark Reading Staff, Dark Reading

March 7, 2007

2 Min Read
Dark Reading logo in a gray background | Dark Reading

BOSTON -- Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today issued an advisory disclosing a flaw in the GNU Privacy Guard (GnuPG or GPG), an OpenPGP-compliant cryptographic software system and part of the Free Software Foundation’s GNU software project and third-party email applications that rely on it for encrypted and signed email communications. CoreLabs, the research arm of Core Security, discovered that by exploiting this vulnerability an attacker can add arbitrary content to encrypted and/or signed emails in order to mislead recipients about the trustworthiness of a message. In addition, attackers can use this flaw to bypass content-filtering defenses (e.g., anti-spam mechanisms), which makes it particularly inconvenient to detect phishing attacks.

This vulnerability impacts users of a broad range of open-source email client software programs, including KMail, Evolution, Sylpheed, Mutt, and GNUMail. The vulnerability also affects Enigmail, an extension to the mail client of Mozilla/Netscape and Mozilla Thunderbird that allows users to access the authentication and encryption features provided by GnuPG. Enigmail and GnuPG have released new versions of their software to address this vulnerability. CoreLabs has also published a workaround to help users to detect and prevent exploitation.

“This vulnerability is a good example of how very subtle implementation decisions on how to interface data communications between two applications, in this case email front-end extensions and GnuPG, can end up exposing end users to unexpected security weaknesses.” said Iván Arce, CTO at Core Security Technologies. “We continue to encourage and support the use of GnuPG as a convenient way to improve the security and privacy of communications. To that effect and to prevent traffic analysis attacks we also recommend that encryption should be turned on by default on every email.”

Core Security Technologies

Read more about:

2007

About the Author

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Screen covered with multi-colored postits, each one with a password written on it.
Identity & Access Management Security
NIST Drops Password Complexity, Mandatory Reset RulesNIST Drops Password Complexity, Mandatory Reset Rules
byEdge Editors
Sep 25, 2024
2 Min Read
CrowdStrike logo on smatphone screen
Cyberattacks & Data Breaches
CrowdStrike Offers Mea Culpa to House CommitteeCrowdStrike Offers Mea Culpa to House Committee
byJai Vijayan, Contributing Writer
Sep 25, 2024
4 Min Read
Black background and white text saying Dark Reading Confidential
Vulnerabilities & Threats
Dark Reading Confidential: Pen-Test Arrests, 5 Years LaterDark Reading Confidential: Pen-Test Arrests, 5 Years Later
byDark Reading Staff
Sep 10, 2024
42 Min Listen
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events