Unfixed bugs in widely used e-mail programs make it possible for attackers to obtain the plaintext of messages that are encrypted using the PGP and S/MIME standards, researchers said early Monday morning.
EFF also advises users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted emails, and switch to safer tools until the issue is resolved.
An attacker could gain access to encrypted emails by monitoring network traffic, compromising email servers or the computers of users, or gaining access to backup servers. It's this variety that attackers use to ambush users of OpenPGP and S/Mime by sending a slightly modified S/Mime email to the victim's address.
Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.
Man Utd secure second place with point
Manchester United head to the London Stadium aiming to put behind them the disappointment of last Friday's loss to Brighton.
"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is unsafe", Dave Kennedy, the chief executive at security company TrustedSec, said. The attack, as explained by The Verge, allows "bad actors inject malicious code into intercepted emails, despite encryption protocols created to protect against code injection".
"[The researchers] figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails".
The Electronic Frontier Foundation (EFF) has passed on the warning issued by a group of European security researchers after they found a set of vulnerabilities in PGP and S/MIME.
In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on "Securing Communication of Protected Client Information".
The second method is called the "CBC/CFB Gadget Attack", which resides within the PGP and S/MIME specifications, affecting all email clients.
Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, said the paper would be published ahead of a scheduled date later this week after the embargo was broken.
Some experts, however, questioned the EFF's recommendation. They do note, however, that disabling HTML rendering won't completely stop EFAIL attacks.