So anyone using S/MIME or PGP in Apple Mail should continue to consider himself vulnerable. Apple Mail is at version 11.3 now, but given the release notes quoted above it seems highly unlikely to me that those three loopholes have been closed. 20 of the published paper) four backchannels in Apple Mail (version 11.2), two of which work explicitly in the case of “valid/trusted S/MIME signed emails”, and another of which works independently of whether any form of encryption is used at all (via a simple plaintext header, so even in the absence of any HTML code!). So I’m puzzled how Apple can think their fix fixes anything.Īlso, the researchers detail (p. But the attack is not at all dependent on any signature being invalid or missing the authors even explicitly note that signing an encrypted email does nothing in the way of protecting the user. For one thing, unless I am completely misreading the text quoted above, Apple has only changed Mail’s behavior for the case of an “invalid or missing S/MIME signature”. You’ve stressed already that this is a very complex issue, but it should be pointed out that this “fix” by Apple addresses one single aspect of Apple Mail’s part in it AT BEST.
![best email clients for mac with gpg best email clients for mac with gpg](https://files.shroomery.org/files/15-16/906922190-password.png)
The situation with iOS Mail, and macOS apps which use PGP encryption seems less clear at present. However, it does appear that Apple has responded to the most severe bug in macOS Mail, and has at least mitigated the risk in using S/MIME in High Sierra’s Mail app. If you are affected by these vulnerabilities, then you will clearly need to make your own assessment of your risks and best mitigation strategy. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature.ĬVE-2018-4111: Damian Poddebniak of Münster University of Applied Sciences, Christian Dresen of Münster University of Applied Sciences, Jens Müller of Ruhr University Bochum, Fabian Ising of Münster University of Applied Sciences, Sebastian Schinzel of Münster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, Jörg Schwenk of Ruhr University BochumĪs of 0600 UTC on, I cannot find any corresponding fix for iOS. Impact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mailĭescription: An issue existed in the handling of S/MIME HTML e-mail. It appears that macOS High Sierra 10.13.4 does address direct exfiltration of S/MIME email, with the following fix now reported in its security release notes: In the case of Apple’s Mail, it would appear to still leave encrypted messages vulnerable: “Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.”Īpple has been informed of these vulnerabilities on and.
![best email clients for mac with gpg best email clients for mac with gpg](https://www.ubuntupit.com/wp-content/uploads/2021/01/claws_mail-768x548.jpg)
Regarding the strategy of disabling HTML rendering, they state “disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL”, but that does not solve all the problems. If you use S/MIME or PGP encryption in any of those combinations, then you are most probably affected, and would be well advised to re-assess your risks.Īs to mitigation strategies, the authors consider that “the best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client.” I don’t know how feasible that would be using, for example, Apple’s Mail app. Apple’s Mail, whether running on macOS or iOS, has also been vulnerable to direct exfiltration attack without user interaction. Additionally, the combinations of Apple Mail or Airmail with GPGTools, and Thunderbird with Enigmail, have also been vulnerable. They claim that S/MIME encryption provided by Apple Mail, MailMate, Airmail, and Apple’s Mail on iOS, together with Microsoft Outlook and Thunderbird have been vulnerable, without any PGP installation. Fuller details have now been published about the EFAIL vulnerabilities in PGP and S/MIME email encryption, at the authors’ dedicated website.