The vulnerability is not in the encryption algorithm itself, but rather in the way that GnuPG interacts with the third-party applications that use it. The list of affected mail packages is extensive, and includes GNUMail, KMail, Enigmail and Mutt, among many others.
The Free Software Foundation, which maintains GnuPG, has released a new version of the program and has posted an advisory about the problem on its site. The FSF decided to release its own fix rather than have each of the third-party developers patch their applications because of the large number of applications the vulnerability affects. @33192
The vulnerability lies in the way that GnuPG communicates with the mail programs that use it to encrypt and sign messages. GnuPG, which is based in the OpenPGP standard, contains an API that mail applications and other programs use to interpret where each of the various sections of a GnuPG-signed message begins and ends.
The applications make the wrong assumptions when interpreting that data, said Ivan Arce, chief technology officer of Boston-based Core, and as a result, attackers can insert their own text into a message that already has been signed. Alternately, an attacker could replace the entire signed message with his own message, Arce said.
"This is very simple to exploit," he said. "The attacker needs to get a mail message that's signed by the sender, then attach his text and send it to the destination. Whoever receives the message will trust it because it's been signed. It's quite easy to do."
GnuPG is widely used by open-source email applications and other programs that require encryption, and not just in the Windows world. For example, there is a plug-in called GPGMail that can be used to send and receive encrypted messages via the mail client in Apple Computer Corp.'s Mac OS X operating system.
Arce emphasized that this flaw in no way affects the actual encryption in GnuPG, but said that it is a good example of how the interactions between applications can lead to results that were unforeseen by the applications' respective developers.
"Both programs actually do things right for the most part, but when they interact with each other, they make the wrong assumptions," Arce said. "The user doesn't see the stuff in the background. All they see is the result."