A pair of flaws in the open-source GNU Privacy Guard program, also called GnuPG or GPG, could allow an attacker to upload unauthorized content into a PKI signed message, or possibly forge signatures on digital files. The GPG software is a free replacement for the Pretty Good Privacy cryptographic software and is shipped with many operating systems, including FreeBSD, OpenBSD, or many Linux distributions.
What does this mean for businesses? It could pose a threat to the reliability and value of PKI signatures, says an email from the Gentoo Linux security team. Should an attacker discover these flaws, they could add information to email security alerts or forge PKI signatures on unauthorized software updates.
Those who use the open-source PKI technology to verify the authenticity of emails or PKI signed files could be at risk, as could those who receive and use those files and messages.
PKI are often used, for example, by Linux and Unix distributors to send authenticated security announcements to their customers. PKI signatures are also used in certain software updates put out by these companies so their customers can be assured that the data they are receiving has not been tampered with. In short, the GPG technology is used in many ways to guarantee the authenticity of files, updates, and messages. Without this assurance, false “security updates” and emails with malicious files attached could become a daily occurrence.
Systems that need fixing include those that rely on GPG to distribute software updates, especially on Linux. Updates will be required to prevent any malicious alterations of software and data on these systems.
The GnuPG team has created fixes for the security flaws. Additionally, for those who have included the GPG technology in their products, updates have been offered to fix the problems. Another patch has been released to fix a flaw that would make it possible for an unauthorized person to insert data into a PKI signed message. This would mean that systems would still see this unauthorized data as authentic.
This flaw was discovered while researching an earlier problem for which a patch had already been release. That problem could cause automated signature checkers to verify a forged PKI signature as authentic and consider a malicious file safe.
As of yet, no reports have surfaced of attacks that exploit these vulnerabilities. However, users of this software are urged to install the security updates as soon as possible to ensure the protection of their systems.
Companies like SignatureLink overcome this obstical by using a secure online biometric signature that can be done with a mouse, touchscreen or PDA. This is not to be confused with older technology of digital signatures such as PKI signature.
For more information on secure digital signatures please go to http://www.signaturelink.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment