The issue arose after researchers from three German universities claimed to have devised an attack the called Efail, which they said would allow the decryption of current and past emails scrambled with PGP or GnuPG and exfiltration of the decoded content.
There was initially concern among cyber-security researchers that the issue affected the core protocol of PGP - meaning that all uses of the encryption method, including file encryption, could be made vulnerable. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. Mozilla referred questions to the Thunderbird Council, the third-party open-source software group that maintains the Thunderbird email app. Ryan Sipes, a Thunderbird community manager, said a patch is being developed and will be distributed as an update by the end of the week.
The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed Efail described by a team of European researchers. The new e-mail would embed portions of the cipertext in places that often aren't displayed by Thunderbird, Mail, Outlook, and more than two-dozen other e-mail programs.
Attackers who exploit the vulnerability are able to change an encrypted email in a certain way and send then send the altered encrypted email to the victim. Users can employ PGP-compatible email clients themselves, and many secure webmail clients also make use of PGP.
EFF said in a blog post that users should uninstall PGP until the flaw is patched.
WWE Monday Night Raw preview and schedule
The qualifiers for the Money in the Bank ladder match 2018 edition will be the main focus on tonight's show. Jose and Corbin are the midst of a feud because Baron doesn't like other WWE Superstars having fun.
More specifically, the vulnerability has been discovered in the PGP or S/MIME software for email encryption. Encrypting messages is still safer than not encrypting them-EFAIL basically just lets attackers read messages they've already compromised in some other way-but it's still not enough to truly protect the contents of those emails. The Electronic Frontier Foundation has recommended that people temporarily stop using PGP email plugins, and use non-email based platforms like Signal for encrypted messages. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication.
Cluley also pointed out that it is not a new problem - the root problem of mail clients attempting to display corrupted S/MIME messages has been known about since 2000. PGP has been a popularly adopted standard for email encryption. While doing so, the client loads any external content, thus, exfiltrating the plaintext to the attacker.
If you want to continue to send and receive PGP-encrypted emails, the researchers advise decrypting those messages in a separate application, not your email client.
A more permanent fix requires changes to OpenPGP and S/MIME standards and it is not going to happen overnight.