Network Associates has issued a patch following the discovery of a loophole in PGP encryption software that could leave messages open to interception.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The loophole, found by German researcher Ralf Senderek, affects versions of PGP that allow the user to specify additional encryption keys.
The bug potentially allows intelligence gathering organisations such as GCHQ or eavesdroppers to distribute modified versions of other people's public keys. E-mail sent by the modified keys will be vulnerable.
"The effect is that GCHQ can create a tampered version of your PGP public key containing a public key whose corresponding private key is also known to themselves, and circulate it. People who encrypt the traffic to you will encrypt it to them too," said Cambridge University security expert Ross Anderson.
Network Associates described the bug as esoteric and said there had been no examples of anyone being compromised by it. Both senders and recipients will need to install the patch to protect their e-mails.
PGP has more than five million commercial and individual users.