“Here’s how to protect yourself from the EFAIL vulnerability in Apple Mail on both iOS and macOS,” Bryan M. Wolfe reports for iDownload Blog. “These temporary fixes come after the new vulnerability was discovered that allows hackers to derive decrypted plaintext from encrypted emails. For the attack to work, the third party must be in possession of your encrypted S/MIME or PGP emails.”
“Although Apple’s likely to offer a fix to this vulnerability sooner rather than later, there are things you can do now to make your email more secure,” Wolfe reports. “The Electronic Frontier Foundation (EFF) was the first to discover this vulnerability.”
“The first method involves removing the GPGTools/GPGMail encryption plugin from Apple Mail on macOS,” Wolfe reports. “Keep in mind this vulnerability is most likely to occur in an environment that relies on S/MIME and PGP encrypted email communications to talk in private. The average Apple Mail user is almost certainly not using any of these tools.”
Read more in the full article here.
“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages,” Danny O’Brien and Gennie Gebhart report for EFF.
“The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific),” O’Brien and Gebhart report. “In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.”
Read more in the full article here.
MacDailyNews Note: Mac users of PGP-encrypted email should immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. iOS users should disable “Load Remote Images” in Mail settings. Read the full articles above for details.
Is EFAIL a major fail?
The findings are being questioned big time.
https://www.itwire.com/security/82781-encryption-flaws-claimed,-but-researchers-findings-questioned.html
As per 9to5 Mac:
Security flaws found in Apple Mail can reveal encrypted email as plaintext
If you are worried about being targeted by this, you can disable the loading of remote content as a mitigation
This mitigation is simple and is one that everyone should already be using!
UNcheck ‘Load remote content in messages’. You’ll find the check box under Mail/Preferences/Viewing/Show message headers.
Why keep remote content loading OFF?
• It’s a primary step in securing any eMail client program.
• It blocks the download of WebBugs, files used to surveil your IP address and verify your email address. Here comes the spam.
• It blocks the automatic download of malware and malicious files.
• In this case, it allows you to continue using encrypted mail solutions without having to worry about the encrypted eMail exploit.
Now isn’t it ironic as hell that Outlook blocks remote content by default, but Mail doesn’t ?
Yup! And Apple still has this thing checked ON by default in Safari: “Open “safe” files after downloading”. They’ve had the folly of that setting, even the existence of that setting, pointed out to them for at least two decades. They don’t get it. Knock Knock. Nobody home. 🙁 I was hoping Jonathan Zdziarski’s (computer security expert of renown) arrival at Apple would clear out the dreck. Nope! Not so far anyway.
🙁 🙁 🙁