OpenPGP presentation bug unscrambled
PrintSignature verification vuln
Posted in Software & Security, 8th March 2007 19:32 GMT
Free whitepaper – Managing desktop software for fun and profit
A flaw in the way encryption programs present data to users makes it possible for a block of unsigned and unencrypted data to appear no different to users from encrypted data in a message.
The bug does not stem from a flaw in encryption but in the way in which OpenPGP, the standard for transmitting PGP-encrypted data, is interpreted by GnuPG "helpers" such as Enigmail and mail programs such as Evolution and KMail.
OpenPGP-compliant messages might be made up of multiple sections, some of which might not be encrypted. However, helpers and mail software packages fail to use the GnuPG API correctly to interpret where encrypted sections start and end. As a result you might "see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't," the SANS Institute's Internet Storm Centre helpfully explains.
A new release of GnuPG and update to email client have been produced to address the issue, as explained in an advisory here. ®
Free whitepaper – Straight Talk with Dell: Sending out an SaaS
Managing desktop software for fun and profit
Analyst Keynote: The Register Agile Data Center Summit
Dell PowerEdge M710 with Dell EqualLogic storage vs. HP ProLiant BL685c with HP StorageWorks EVA 4400
Seven ways to optimize VMware server virtualization
Sign up, sign up for The Register IT security newsletter
Microsoft's Windows 7 price gamble - and why it's flawed
Managing Desktop Software for fun and profit
Intel's flash new SSDs hit by bugs