Don't Trust GnuPG Encrypted and Signed EMail

Core Security Technologies has discovered a flaw in GNU Privacy Guard the open source cryptographic software system that's part of the GNU software project and at the heart of third party email that's signed, encrypted and trusted that allows attackers to reach into email and add whatever content they dream up.

Besides the ability to mislead recipients about the trustworthiness of signed e-mail, the flaw also allows attackers to bypass content-filtering defenses such as anti-spam tools, making it "particularly inconvenient" to detect phishing attacks, according to a statement from Core Security.

This hole lies in a broad range of open-source e-mail client software programs, including KMail, Evolution, Sylpheed, Mutt and GNUMail. It also affects Enigmail, an extension to the mail client of Mozilla/Netscape and Mozilla Thunderbird that gives users the authentication and encryption of GnuPG. Security Watch - Flaws - Don't Trust GnuPG Encrypted and Signed E-Mail

Linked by shanmuga Friday, 9th March 2007 12:34AM